On November 20, 2024, cybersecurity researchers Shubham Shah and his colleague uncovered a critical vulnerability in Subaru’s STARLINK-connected vehicle service. The discovery was made through systematic testing and analysis of Subaru’s online systems, during which the researchers identified an improperly secured endpoint, allowing unauthorized access to sensitive vehicle functions and customer data. This vulnerability provided unrestricted targeted access to vehicles and customer accounts in the United States, Canada, and Japan. The exploit required minimal information, such as the victim’s last name, ZIP code, email address, phone number, or license plate.
Potential Exploits of the Vulnerability
Using the vulnerability, a malicious actor could have:
- Remotely started, stopped, locked, and unlocked any vehicle by exploiting Subaru’s backend systems. The system’s lack of robust validation checks allowed unauthorized commands to be issued remotely, making vehicle control accessible with minimal information. This highlights the critical importance of secure authentication protocols in preventing unauthorized access to connected systems.
- Retrieved real-time vehicle locations and a year’s worth of location history with pinpoint accuracy.
- Accessed sensitive customer data, including personally identifiable information (PII), emergency contacts, billing details, and vehicle PINs.
- Extracted additional data, such as support call history, odometer readings, and previous ownership details.
Thankfully, the issue was patched within 24 hours of being reported, and there is no evidence that the vulnerability was exploited maliciously.
Proof of Concept: A Demonstration of the Exploit
The researchers provided a chilling proof of concept, demonstrating how an attacker could take control of a Subaru vehicle using just its license plate in under 10 seconds. This was possible because the license plate information served as a unique identifier that could be used to query Subaru’s backend systems without requiring further authentication. By exploiting this design flaw, attackers could gain access to sensitive vehicle controls and data with minimal effort. They also showcased the retrieval of over a year’s worth of location data from a 2023 Subaru Impreza.
Unveiling the Flaw: A Step-by-Step Breakdown
Initial Testing on the MySubaru Mobile App
The researchers began by auditing the MySubaru app, which allows users to send vehicle commands. Using tools like Burp Suite, they intercepted HTTP requests but found no immediate vulnerabilities. The app’s endpoints were secured, and authorization was robust. Realizing the app wasn’t the weakest link, they shifted their focus to other Subaru-related online systems.
Discovering the STARLINK Admin Panel
With the help of Shubham’s colleague, Shrubs, they identified a promising domain: portal.prod.subarucs.com, which appeared to be the STARLINK admin panel. Through a combination of directory brute-forcing and examining JavaScript files, they discovered an endpoint vulnerability resulting from improper input validation and a lack of token-based confirmation checks. This oversight in development allowed the resetting of employee passwords without requiring an additional layer of authentication, leaving the system vulnerable to attacks. To prevent such flaws, developers must implement rigorous validation processes, ensure the use of secure confirmation mechanisms like time-limited tokens, and regularly audit endpoints for potential misconfigurations.
Exploiting the Password Reset Endpoint
The vulnerability in the password reset system allowed the researchers to take over any employee account, provided they had the corresponding email address. By enumerating employee emails using LinkedIn and a Subaru email pattern ([first_initial][last]@subaru.com), they identified an active user. Using the password reset functionality, they successfully took control of an account.
Circumventing Two-Factor Authentication
Although the researchers gained access to an employee’s account, they encountered a custom two-factor authentication (2FA) system. They began testing methods to bypass it, though their report did not disclose the details of further exploitation.
Immediate Response by Subaru
Upon receiving the report from Shah and Shubs, Subaru’s security team acted swiftly, patching the vulnerability within 24 hours. Subaru issued a statement thanking the researchers for their responsible disclosure and ensuring customers that the vulnerability had not been exploited maliciously.
Broader Implications
This incident highlights the critical need for robust security in connected vehicle services, underscoring the necessity for industry-wide measures like advanced threat modeling, routine system audits, and adopting secure-by-design principles. Such proactive approaches can prevent similar vulnerabilities and ensure a safer ecosystem for connected vehicles. The rise of smart vehicles introduces new attack surfaces, making it imperative for automakers to regularly audit and test their systems for vulnerabilities. Ethical hackers play a crucial role in identifying flaws before malicious actors can exploit them.
