- Vulnerabilities in Subaru STARLINK allowed remote access and control of functions (unlocking, ignition) and obtaining location history.
- Administrative portal failure: password reset without confirmation and verification of security questions on client, facilitating employee access.
- Data exposed: a year's worth of locations, addresses, emergency contacts and partial banking data, increasing risks of theft and invasion of privacy.
- Subaru patched the issue in less than 24 hours, but employees retain access to records; it reflects industry-wide risks and a need for regulations and best practices.
Recent research has revealed serious vulnerabilities in Subaru's STARLINK connected system, allowing hackers to remotely access and compromise the security of millions of vehicles in the United States, Canada and Japan. These security flaws have raised alarms about the inherent risks from connected vehicles, which collect vast amounts of data amounts of sensitive data and rely on technology to operate many of their functions.
Researchers Sam Curry and Shubham Shah discovered that Subaru's system suffered from multiple deficiencies that allowed take remote control of vehicles and access sensitive information such as a year's worth of detailed location history. They were also able to unlock doors, manipulate the ignition and even modify user settings. This discovery highlights the threats of Privacy & Security associated with the digitalization of automobiles.
How Were Vulnerabilities Identified?
The analysis began when Curry decided to explore the connected system of a 2023 Subaru Impreza purchased for his mother. While investigating, he and his partner discovered an administrative portal for Subaru employees that contained serious security flaws. The portal allowed the resetting passwords without confirmation, simply by knowing an employee's email address. Additionally, security questions were verified locally on the user's browser rather than on Subaru's servers, making it easier to bypass this layer of protection.
After gaining access to an employee account, the researchers demonstrated that they could search for vehicles using basic data such as a last name, zip code, email, phone number or license plate. From there, they could manipulate vehicle functions, access your location history, and obtain personal information from the owner, including addresses, emergency contacts and partial billing details.
The Impact of Vulnerabilities
The risks associated with this failure are significant. Accessible data included:
- A full year of location history, with precise coordinates updated every time the car was started.
- Personal information such as names, addresses, emergency contacts and partial bank details.
- Vehicle functions such as the unlocking doors, remote ignition and horn activation.
These vulnerabilities not only put at risk Privacy of the owners, but opened up possibilities for theft, harassment and even sabotage of vehiclesThe researchers stressed that these breaches reveal a worrying outlook for cybersecurity in the automotive industry in general.
Subaru's response
Subaru was alerted to these vulnerabilities in November 2024. To its credit, the company acted quickly, patching the system in less than 24 hours after being informed. A Subaru spokesman said that “No customer information was accessed without authorization” and that the systems have been improved with continuous monitoring to prevent future threats.
However, researchers noted that despite the patches, Subaru employees still have access to the feature that allows them to view location histories for work reasons, raising questions long-term privacy concerns.
A widespread problem in the industry
According to researchers, the Subaru case is not unique. Similar vulnerabilities have been detected in vehicles from other brands, including Acura, Honda, Hyundai and Toyota. Lack of robustness in data protection systems It is a recurring problem in the industry, where manufacturers often prioritize functionality over security.
A 2023 Mozilla report classified modern cars as a “privacy nightmare,” highlighting that 92% of manufacturers offer users no control over their vehicles. collected data and 84% reserve the right to share or sell such information. This level of exposure underlines the urgent need for stricter regulations and cybersecurity standards in the automotive sector.
In his blog, Curry emphasized the inherent vulnerability of systems that allow employees to access sensitive information without adequate restrictions. “The automotive industry relies heavily on trust, but lacks the necessary guardrails to protect consumer data”He said.
This incident reinforces the importance of implementing robust security measures and also serves as a reminder to users to be aware of the risks that come with connectivity in cars.
