Subaru’s Starlink multimedia technology debuted in 2016. It’s the software suite that runs everything from the infotainment system to navigation and a plethora of modern conveniences we generally love in cars. Such systems can be lucrative targets for hackers, and with the breadth of systems accessible through Starlink, a malicious hack could wreak havoc.
Fortunately, a potentially catastrophic loophole in Starlink was discovered by “ethical” hacker Sam Curry. In a detailed post on his blog, he chronicles how he and a colleague found the issue and took control of two different Subies. For the record, Subaru was immediately contacted once the vulnerability was found and a fix was implemented right away. A Subaru spokesperson provided the following statement to Motor1.
Subaru of America, Inc., after being notified by independent security researchers, discovered a vulnerability in its Starlink service that could potentially allow a third party to access Starlink accounts. The vulnerability was immediately closed.
Starlink customer accounts were not accessed or compromised. The independent researchers received authorization from their friends and family to access their information.
So what happened exactly? We’ll leave all the details to the blog, but in a nutshell, hackers discovered a way to gain administrator access to Starlink and add themselves to individual accounts. With that kind of access, they could effectively find and assume control of any Subaru connected to Starlink by entering basic information like the owner’s last name and zip code or license plate number. Once logged in, the hacker could operate the door locks, start or stop the engine, and see the vehicle’s current location. And that’s just the real-time activity.
Photo by: Subaru
Hackers could also pull the vehicle’s location history over the previous 12 months, seeing exactly where it’s been and for how long. Personal data was also at risk, including authorized users on the account, physical addresses, and the last four digits of any credit cards associated with the account. Yikes.
The hackers were successfully able to gain control of a 2023 Subaru Impreza (with permission of the owner) and track its location history. They accessed a second car (again, with permission) and cycled the locks, all with the owner watching to confirm. According to the blog, actual vehicle owners never received a notification that a new user had been added to their account.
Thankfully, this was caught before someone with nefarious intentions found the issue. But it’s a stark reminder of the potential dangers of living in a connected world.