36/68 Monday, January 27, 2025
A vulnerability in the Subaru Starlink system has put vehicles and customer accounts in the U.S. and Canada at risk of remote attacks. Cybersecurity researchers Sam Curry and Shubham Shah discovered the flaw, which allows attackers with basic information such as a name, email, or license plate to take control of vehicles, access personal information (PII), travel history, and billing data without restrictions. After notifying Subaru on November 20, 2024, the company managed to fix the vulnerability within 24 hours.
The researchers identified the vulnerability in an admin panel on a Subaru subdomain. They were able to reset employee account passwords without authentication and bypass two-factor authentication (2FA). Once logged in, attackers could retrieve customer and vehicle data, such as VIN numbers, travel history, names, phone numbers, and billing details. Additionally, they could remotely control vehicle functions, such as unlocking doors, without the vehicle owner receiving any alerts.
Curry and his team have previously uncovered vulnerabilities in systems of other automotive brands, including Kia, Honda, Infiniti, Nissan, as well as luxury brands like Rolls Royce and Ferrari. These vulnerabilities enabled attackers to control critical vehicle functions and steal personal data. Such discoveries highlight the importance of improving the security of connected vehicle systems to reduce the risk of future cyberattacks.
Source https://securityaffairs.com/173434/security/subaru-starlink-vulnerability-remote-attacks.html
