Critical vulnerability in Subaru Starlink service allows hackers to steal cars in the US and Canada

Cybersecurity researchers have discovered a vulnerability in Subaru’s Starlink service that allows hackers to remotely track, control and steal cars using only the license plate. The problem was fixed 24 hours after discovery.

Researchers Sam Curry and Shubham Shah have discovered a critical vulnerability in Subaru’s Starlink service. It allowed hackers to gain access to user accounts in the US, Canada and Japan if they knew the victim’s license plate, last name, ZIP code, email or phone number. Exploiting this vulnerability would have allowed:

• remotely start or stop the engine, lock/unlock the doors and get the current location of the car;
• track the history of the car’s movements for the last year with an accuracy of up to 5 meters;
• access users’ personal information, including address, payment details, and vehicle PIN.

Subaru’s Starlink is an Internet-connected car service that provides convenient remote control and tracking of a vehicle. The vulnerability was linked to the “resetPassword.json” tool, which allowed access to the account through the administration panel, as it could change the password without confirmation.

The issue was resolved within 24 hours, and Subaru confirmed that the vulnerability was not exploited. The Subaru Starlink vulnerability highlights the importance of strict cybersecurity measures in Internet-connected cars. Researchers once again emphasize the need to constantly test and improve the security of automotive systems.