If you own a modern Subaru, chances are you’ve heard of Starlink — the company’s connected services suite, which lets you control your car through an app or call roadside assistance to your location. That system, though, has other functionality that you might not know: Storing your car’s location history for the last year, and making that information available through an admin panel that until recently was left wide open for hackers.
Penetration testing team Sam Curry and Shubham Shah discovered a vulnerability in Starlink’s administrator console, which allowed hackers to compromise the accounts of Subaru employees and gain admin access to the system. With this, hackers could track a car’s Starlink location pings for the last year, as well as the typical Starlink app functionality: Locking, unlocking, geofencing, and more.
The description of the vulnerability involves reading a lot of JavaScript, but the attack vector itself came from Subaru employee accounts. Curry and Shah found the link to the Starlink admin portal through communications from the MySubaru app, and found that account passwords could be reset without confirmation from the account holder. The pair figured out the format for Subaru email addresses, brute forced the site until an address worked, then bypassed the security question prompt. With that, they were in.
The admin panel allowed access to any Subaru in the United States, Canada, or Japan. All it required was a VIN, which Curry and Shah could get from registration records using a license plate number. That means that any Subaru on the street with a visible license plate could theoretically be accessed with this vulnerability.
Of course, being good white hats, Curry and Shah didn’t publish the vulnerability until it had already been patched. The pair informed Subaru of the issue back in November, and it was fixed with 24 hours. Still, there’s no telling what other ways there may be to access the Starlink admin panel that the company doesn’t yet know about — or what other connected car suites have the same problems.