In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a colleague unearthed a serious safety vulnerability in Subaru’s STARLINK linked automobile service.
The flaw allowed unauthorized, unrestricted entry to automobiles and buyer accounts throughout america, Canada, and Japan.
By exploiting this vulnerability, malicious actors might remotely management automobile capabilities and entry delicate buyer knowledge actions that included unlocking automobiles, monitoring location historical past, and retrieving personally identifiable info (PII).
Subaru shortly patched the vulnerability inside 24 hours after receiving the researchers’ report, averting potential large-scale exploitation.
The researchers detailed how minimal consumer info, corresponding to a sufferer’s final title, ZIP code, e-mail handle, cellphone quantity, or license plate, was adequate to use the STARLINK system.
This entry allowed them to carry out actions corresponding to remotely beginning, stopping, locking, and unlocking automobiles.
Additionally they managed to retrieve a automobile’s one-year location historical past, correct to inside 5 meters, and entry prospects’ delicate knowledge, together with emergency contacts, billing info, and even automobile PINs.
Examine Actual-World Malicious Hyperlinks & Phishing Assaults With Menace Intelligence Lookup - Strive for Free
Systemic Flaws in Entry Controls
The researchers initially examined Subaru’s MySubaru cell app however discovered its safety sturdy.
Shifting focus, they investigated Subaru’s back-end methods and stumbled upon an employee-facing STARLINK admin panel, which supplied broad entry to automobiles and buyer data.
By exploiting a flaw within the “resetPassword.json” endpoint, they reset worker passwords with out requiring verification or a token.
Utilizing publicly accessible info, corresponding to worker e-mail addresses from LinkedIn, they efficiently gained unauthorized entry to the system.
Additional investigation revealed the admin panel’s weak two-factor authentication (2FA) implementation, which the researchers bypassed with easy client-side modifications.


As soon as inside, the admin dashboard supplied unfettered entry to automobile management options and buyer knowledge for STARLINK-enabled automobiles.
Actual-World Eventualities and Car Entry
To validate the severity of the vulnerability, the researchers performed managed experiments on their very own automobiles and people of consenting people.
For instance, they added themselves as licensed customers to a buddy’s Subaru through the use of the admin panel after which efficiently executed distant instructions, together with unlocking the automobile, all with out the proprietor receiving any notification.


The researchers additionally demonstrated the flexibility to retrieve in depth buyer info, corresponding to bodily addresses, emergency contacts, and billing knowledge, all from the STARLINK admin dashboard.
The researchers reported the vulnerability to Subaru’s safety staff late on November 20, 2024.
Subaru acknowledged the flaw the following morning and deployed a repair by the afternoon, stopping additional exploitation.
Whereas the corporate’s swift motion mitigated potential hurt, the incident highlighted systemic challenges in securing linked automobile methods.
The auto business, because the researchers identified, usually grants in depth entry to delicate knowledge by default to staff, relying closely on belief.
This discovery underscores the essential want for sturdy entry controls, multi-layered authentication mechanisms, and rigorous safety testing in linked automobile methods.
As automation and connectivity proceed to outline trendy automobiles, vulnerabilities like this might have far-reaching penalties for consumer security and privateness.
Integrating Software Safety into Your CI/CD Workflows Utilizing Jenkins & Jira -> Free Webinar