In late November, researchers Curry and Shah disclosed critical security flaws within Subaru’s Starlink service, prompting the automaker to implement fixes swiftly. However, they caution that these vulnerabilities are merely the latest examples in a broader pattern of web-based security issues affecting numerous automobile manufacturers. Their findings highlight that similar exploitable defects may exist in the web tools of many car companies, including well-known brands like Acura, Honda, Hyundai, and Toyota, among others.
Specifically regarding Subaru, Curry and Shah emphasize serious concerns about customer privacy. They indicate that the vulnerabilities allow individuals with access to Subaru’s internal portal to track user movements, raising long-term privacy implications beyond the immediate security concerns. Curry articulated that while the flaws were rectified, the underlying functionality that permits Subaru employees to view extensive user location histories persists. This could empower staff to access a year’s worth of data on a customer’s whereabouts, posing significant privacy risks.
In response to these alarming revelations, Subaru provided a statement to WIRED, confirming that they had acted upon the researchers’ notification. The spokesperson acknowledged the discovery of a vulnerability that could have potentially allowed unauthorized access to Starlink accounts. Subaru emphasized that they acted swiftly to close the breach and asserted that no customer data had been compromised during the incident.
The spokesperson elaborated on the access privileges of Subaru employees, noting that certain roles require them to view location data—especially in emergencies where assistance is needed following accidents. They reassured that all personnel granted access undergo rigorous training and are mandated to sign confidentiality and privacy agreements, citing ongoing efforts to enhance their security measures against evolving cyber threats.
The researchers, however, maintained that such emergency access would not necessitate a full year’s worth of location history. Subaru did not clarify to WIRED how long they retain location data for employee access nor how this policy is governed.
Curry and Shah’s investigation began when they recognized that the Starlink app linked to an administrative domain associated with Subaru employees, SubaruCS.com. Their quest for security flaws revealed a significant weakness: they could reset employee passwords simply by guessing email addresses. This allowed them access to any employee account linked to Subaru, as the password reset process relied on security questions validated through local browser code rather than server-side checks, which could be easily circumvented.
Through this exploratory process, they managed to locate an email address belonging to a Subaru Starlink developer on LinkedIn and gained access to that individual’s account. This enabled them to query the database and obtain information about any Subaru owner by deploying simple search parameters such as last name, zip code, or license plate number. Within moments, they could gain control over critical Starlink functionalities—including remote unlocking of vehicles, initiating the ignition, and other potentially intrusive capabilities.
This incident illustrates several tactics that may align with the MITRE ATT&CK framework, particularly initial access through credential guessing and privilege escalation in exploiting weak authentication mechanisms. As cybersecurity continues to be a pressing concern in various sectors, this case highlights the significance of robust security practices and rigorous access management in safeguarding sensitive customer data against unauthorized access and potential misuse.
