Safety researchers have found an arbitrary account takeover flaw in Subaru’s Starlink service that might let attackers monitor, management, and hijack autos in the US, Canada, and Japan utilizing only a license plate.
Bug bounty hunter Sam Curry revealed on Thursday that the vulnerability was found on November 20, 2024, with the assistance of researcher Shubham Shah.
They discovered that the safety flaw gave potential attackers unrestricted focused entry to all U.S., Canadian, and Japanese buyer accounts and autos. The one necessities have been earlier information of the sufferer’s final identify and ZIP code, electronic mail tackle, telephone quantity, or license plate.
Amongst different issues, profitable exploitation may have allowed hackers concentrating on Subaru prospects to:
- Remotely begin, cease, lock, unlock, and retrieve the present location of any automobile.
- Retrieve any automobile’s location historical past from the previous yr (correct to inside 5 meters and up to date every time the engine begins).
- Question and retrieve any buyer’s personally identifiable info (PII), together with emergency contacts, approved customers, bodily tackle, billing info (e.g., the final 4 digits of bank cards, excluding the total card quantity), and automobile PIN.
- Entry miscellaneous person information, together with assist name historical past, earlier house owners, odometer studying, gross sales historical past, and extra.
Curry additionally shared a video demonstrating how the Starlink vulnerability may very well be exploited to get greater than a yr’s price of location information for a Subaru automotive inside simply 10 seconds.
Because the researcher found, Subaru Starlink’s admin portal contained an arbitrary account takeover flaw stemming from a “resetPassword.json” API endpoint designed to permit Subaru workers to reset their accounts utilizing a sound electronic mail with no affirmation token.
After taking on an worker’s account, Curry additionally needed to bypass a two-factor authentication (2FA) immediate to entry the portal. Nevertheless, this was additionally simply circumvented by eradicating the client-side overlay from the portal’s person interface.
“There have been a ton of different endpoints. One in all them was a automobile search which allow you to question a buyer’s final identify and zip code, telephone quantity, electronic mail tackle, or VIN quantity (retrievable through license plate) and grant/modify entry to their automobile,” he stated.
“After looking out and discovering my very own automobile within the dashboard, I confirmed that the STARLINK admin dashboard ought to have entry to just about any Subaru in the US, Canada, and Japan.”
The researchers additionally examined that they may carry out all of the actions listed within the portal utilizing the license plate of a pal’s Subaru automotive.
Curry says Subaru patched the vulnerability inside 24 hours of the researchers’ report and was by no means exploited by an attacker.
A bunch of safety researchers, together with Curry, found a comparable safety flaw in Kia’s vendor portal, permitting hackers to find and steal thousands and thousands of Kia automobiles made since 2013 utilizing simply the focused automobile’s license plate.