Attack on Subaru Software

Vulnerability Found in Subaru Software, Allowing Remote Unlocking, Starting, and Tracking of Millions of Vehicles

Cybersecurity researchers Sam Curry and Shubham Shah uncovered vulnerabilities in Subaru’s Starlink infotainment system (unrelated to SpaceX’s satellite service) that enabled partial remote control of vehicles and tracking of their movements.

The researchers managed to exploit the Starlink system through Subaru’s web portal. By replicating their actions, a potential attacker could unlock the car, honk the horn, start the engine, and even assign these functions to another phone or computer. Additionally, the system allowed for tracking the current location of a Subaru vehicle and viewing its movement history.

In one example, Curry used his mother’s car to test the vulnerability and discovered all her trips to the doctor, visits to friends, and even the exact parking spot she used when going to church. These vulnerabilities were present in Starlink systems used across the U.S., Canada, and Japan.

Method of Exploitation

The researchers identified the domain name of the website that facilitated remote control of vehicle functions. By examining the site, they found a way to gain administrative privileges. This was achieved by guessing an employee’s email address and resetting their password. The password reset process relied on answering two security questions, but the verification was handled by a local script in the user’s browser rather than on Subaru’s server, making it easy to bypass.

On LinkedIn, the researchers found the email address of a Subaru Starlink developer, broke into their account on the administrative portal, and discovered that it allowed access to any Subaru vehicle owner’s information using details like last name, zip code, email address, phone number, or license plate number. Once a vehicle was located, the system provided full access to its Starlink configuration.

Subaru’s Response

Curry and Shah reported their findings to Subaru in late November. The automaker promptly patched the vulnerabilities, resolving the security risks. However, the issue of data privacy remains unresolved: although potential attackers no longer have access, Subaru employees still retain the ability to track vehicles and review movement histories.

The company confirmed that its employees do have such access, but emphasized that they undergo proper training and sign confidentiality agreements. According to Subaru, this access is necessary to provide emergency responders with vehicle locations in the event of an accident detected by the system.

Broader Implications for Privacy

Subaru’s ability to track its vehicles underscores a broader issue within the auto industry—there are no guarantees of privacy anymore. Curry pointed out that, for example, a Google employee cannot access users’ Gmail messages without authorization, but Subaru employees can view detailed movement histories of their customers’ vehicles.

This incident is not isolated; earlier reports revealed similar data exposure from VW Group due to actions by its subsidiary Cariad.

Conclusion

The revelation raises serious concerns about privacy and data security in the automotive sector. While Subaru’s quick response addressed the immediate security vulnerabilities, the broader question of customer data privacy and the industry’s approach to handling sensitive information remains unresolved.