Vulnerabilities in the STARLINK telematics software used in late model passenger vehicles made by Subaru enabled two, independent security researchers to gain unrestricted access to millions of Subaru vehicles deployed in the U.S., Canada and Japan.
In a report published Thursday, noted researcher Sam Curry (zlz.bsky.social) revealed a now-patched flaw in Subaru’s STARLINK connected vehicle service that allowed him to access vehicle location information and driver data with nothing more than the vehicle’s license plate number, or the owner’s email address, Zip code and phone number. (Note: Subaru STARLINK is not to be confused with the Starlink satellite- based high speed Internet service.)
According to Curry’s report, the vulnerability was first discovered in November and enabled Curry and Shubham Shah to remotely control Subaru vehicles, including a car owned by Curry’s mother and another owned by an associate. Among other things, Curry and Shah were able to remotely start, stop, lock, unlock, and retrieve the current location of Subaru vehicles and access the vehicle’s complete location history from the past year, with location accurate to within 5 meters, Curry wrote.
Subaru vs. Web Hackers: More of the shame
The flaws are just the latest to be discovered by Curry, working in conjunction with other independent security researchers. In a January, 2023 report, Web Hackers Versus The Auto Industry, Curry documented wide ranging security failings in telematics systems from 16 separate car makers and auto industry suppliers that power hundreds of millions of vehicles. Among the manufacturers called out in that report were Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, BMW and Rolls Royce, Ford and Toyota. Subaru was not among the manufacturers Curry called out in his 2023 report, but
the latest research reads like a continuation of that.
As in his previous research Curry and Shah set their sites on publicly accessible systems intended for employees, rather than drivers. “From my past experience with car companies, I knew there could be publicly accessible employee-facing applications with broader permissions than the customer-facing apps,” Curry wrote. And, lo and behold, a quick, cursory Internet search by Shah turned up a promising such an application: subarucs.com, which served as the backend for customer-focused sites like my.subaru.com.
Account takeovers the easy way!
By scouring the HTML source code for the login page for subarucs.com and leveraging brute force attacks and the open source fuzzing tool ffuf, Curry came across a file, login.js that showed what appeared to be an endpoint, resetPasswor.json, that could reset any Subaru employee’s account password with nothing more than a valid employee email, and without requiring a confirmation token.
Some simple LinkedIn searches for Subaru employees associated with the STARLINK service quickly yielded a valid email address that Curry and Shah – after disabling a two factor authentication feature on the Subaru client app – used to reset the Subaru employee’s password and gain privileged access to the STARLINK system. What they found astounded them.
A year’s worth of driving data: there for the taking
Curry entered the last name and zip code of his mother and found he had access to records of all of her movements in her 2023 Subaru Impreza going back a full year – more than 1,600 unique locations. In addition, the system allowed them to access the personally identifiable information (PII) of any customer, including the vehicle owner’s emergency contacts, authorized users, physical address, billing information and vehicle PIN.
A vehicle search feature in the application let Curry and Shah query a customer’s last name and zip code, phone number, email address, or VIN number (retrievable via license plate) and modify access to their vehicle, including granting third parties access. After consulting with another friend who was a Subaru owner, they retrieved her vehicle with nothing more than her license plate number, then added themselves to her account. They were then able to remotely lock and unlock her vehicle.
According to Curry, his friend never received notification from Subaru that her STARLINK account had been accessed by a third party or that additional parties had been given access to her vehicle.
(Not) learning from the past
The details of Curry and Shah’s hack of the STARLINK telematics system bears a strong resemblance to earlier hacks documented in the Web Hackers versus the Auto Industry campaign, as well as a September, 2024 discovery of a remote access flaw in web-based applications used by KIA automotive dealers that also gave remote attackers the ability to steal owners’ personal information and take control of their KIA vehicle.
In each case, Curry and his fellow researchers uncovered publicly accessible connected vehicle infrastructure intended for use by dealerships as well as employees to remotely manage deployed vehicles. In the case of KIA, for example, Curry struggled to find flaws on the owners.kia.com site, but uncovered another web application, kiaconnect.kdealer.com, while digging through the company’s web application code – a process very similar to the one used to expose the subarucs.com domain.
After uncovering the non-public applications, Curry and his colleagues have found a shocking lack of security for such applications, which often make it easy for unauthorized individuals to create accounts and access sensitive driver and vehicle data.
Despite the reams of sensitive data that vehicles are collecting from users, automakers have very lax security, emphasizing ease of access instead, Curry said.
“The auto industry is unique in that an 18-year-old employee from Texas can query the billing information of a vehicle in California, and it won’t really set off any alarm bells.”
