Security researchers have discovered an arbitrary account takeover flaw in Subaru’s Starlink service that could let attackers track, control, and hijack vehicles in the United States, Canada, and Japan using just a license plate.
Bug bounty hunter Sam Curry revealed on Thursday that the vulnerability was discovered on November 20, 2024, with the help of researcher Shubham Shah.
They found that the security flaw gave potential attackers unrestricted targeted access to all U.S., Canadian, and Japanese customer accounts and vehicles. The only requirements were previous knowledge of the victim’s last name and ZIP code, email address, phone number, or license plate.
Among other things, successful exploitation could have allowed hackers targeting Subaru customers to:
- Remotely start, stop, lock, unlock, and retrieve the current location of any vehicle.
- Retrieve any vehicle’s location history from the past year (accurate to within 5 meters and updated each time the engine starts).
- Query and retrieve any customer’s personally identifiable information (PII), including emergency contacts, authorized users, physical address, billing information (e.g., the last four digits of credit cards, excluding the full card number), and vehicle PIN.
- Access miscellaneous user data, including support call history, previous owners, odometer reading, sales history, and more.
Curry also shared a video demonstrating how the Starlink vulnerability could be exploited to get more than a year’s worth of location data for a Subaru car within just 10 seconds.
As the researcher explained, Subaru Starlink’s admin portal contained an arbitrary account takeover flaw discovered after a “resetPassword.json” endpoint allowed Subaru employees to reset their accounts without requiring a confirmation token by entering any valid employee email.
After taking over an employee’s account, Curry also had to bypass a two-factor authentication (2FA) prompt to access the portal. However, this was also easily circumvented by removing the client-side overlay from the portal’s user interface.
“There were a ton of other endpoints. One of them was a vehicle search which let you query a customer’s last name and zip code, phone number, email address, or VIN number (retrievable via license plate) and grant/modify access to their vehicle,” he said.
“After searching and finding my own vehicle in the dashboard, I confirmed that the STARLINK admin dashboard should have access to pretty much any Subaru in the United States, Canada, and Japan.”
The researchers also tested that they could perform all the actions listed in the portal by testing it using the license plate on a friend’s Subaru car.
Curry says Subaru patched the vulnerability within 24 hours of the researchers’ report and was never exploited by an attacker.
A group of security researchers, including Curry, discovered a similar security flaw in Kia’s dealer portal, allowing hackers to locate and steal millions of Kia cars made since 2013 using just the targeted vehicle’s license plate.
