2025-01-30 09:49:36 Pacfic
Subaru Starlink Vulnerability - 4d
A significant security vulnerability has been discovered in Subaru's Starlink connected vehicle service, potentially affecting millions of vehicles across the United States, Canada, and Japan. Security researcher Sam Curry, along with Shubham Shah, uncovered flaws that allowed unrestricted access to customer accounts via an administrative panel meant only for Subaru employees. This vulnerability stemmed from a weakness in JavaScript code that enabled password resets for any employee account without proper authentication, allowing the researchers to bypass two-factor authentication and gain full access to the system.
The exploited access granted the researchers the ability to view extensive vehicle information such as location histories, VIN numbers, and customer details, including names, phone numbers, and billing information. Alarmingly, this access extended to remotely controlling the vehicles, enabling the ability to start, stop, lock, and unlock cars. Attackers could essentially add themselves as authorized users of any targeted vehicle without the owner's knowledge or consent. The vulnerability also exposed one year of car location history.
ImgSrc: ciso2ciso.com
References:
- CISO2CISO.COM & CYBER SECURITY GROUP - A vulnerability in Subaru’s Starlink connected vehicle service provided unrestricted access to the accounts of customers in the US, Canada, and Japan, security researcher Sam Curry says. - 4d
- lobste.rs - Security researchers details on the vulnerabilities within the Subaru Starlink system. - 3d
- www.wired.com - Security report on the security flaw within the Subaru Starlink system. - 3d