Who discovered the vulnerability and when was it reported?

Cybersecurity researchers Shubham Shah and Sam Curry discovered the vulnerability and reported it to Subaru on November 20, 2024. They publicly disclosed their findings on January 23, 2025, after Subaru had patched the vulnerability.

What potential exploits were possible through this vulnerability?

The vulnerability allowed attackers to remotely control vehicles (start, stop, lock, unlock), access detailed location histories up to one year, view precise locations and timestamps for engine starts, access sensitive customer information including contact details and billing information, and add unauthorized users to any vehicle.

How did the security flaw work?

The flaw exploited a weakness in the 'resetPassword.json' endpoint that allowed unauthorized password resets without requiring confirmation tokens. Additionally, researchers could bypass the two-factor authentication (2FA) system by manipulating the website's code.

How did Subaru respond to the vulnerability?

Subaru implemented a patch within 24 hours of being notified of the vulnerability on November 20, 2024. However, it's unclear whether the flaw had been compromised prior to its discovery.

Advisory

Researchers discover flaw in Subaru STARLINK onnected vehicle system

Q: What vulnerability was discovered in Subaru's STARLINK system?

A critical vulnerability was discovered in the STARLINK admin portal that enabled unauthorized access to vehicle control systems and sensitive customer data across the United States, Canada, and Japan through a flawed password reset functionality that required only an employee's email address.

published: Jan. 28, 2025

Take action: Any cloud platform can be compromised. Be very careful of always connected devices - including cars that are part of some cloud platform, because you are at risk.

Learn More

A security vulnerability in Subaru's STARLINK connected vehicle system was reported by cybersecurity researchers Shubham Shah and Sam Curry.

The vulnerability, discovered in the STARLINK admin portal, enabled unauthorized access to vehicle control systems and sensitive customer data across the United States, Canada, and Japan. The researchers publicly disclosed their findings on January 23, 2025, after Subaru had patched the vulnerability.

The security flaw allows for arbitrary account takeover vulnerability in the STARLINK admin portal, which was designed for employee use. The researchers identified a critical weakness in the password reset functionality through a "resetPassword.json" endpoint that allowed unauthorized password resets without requiring any confirmation token. This means that merely knowing an employee's email address could grant an attacker full access to their account. Furthermore, the researchers successfully bypassed the two-factor authentication (2FA) system by manipulating the website's code, effectively neutralizing this crucial security measure.

Once unauthorized access was gained, the scope of potential exploitation proved to be extensive. The researchers demonstrated the ability to:

remotely control vehicles, including starting, stopping, locking, and unlocking any connected Subaru vehicle.
access detailed location histories spanning up to one year
viewing precise locations and timestamps for every engine start.
gained access to sensitive customer information, including contact details, addresses, partially masked billing information, and vehicle PINs.
could add themselves as authorized users to any vehicle, effectively gaining control without the owner's knowledge.

The vulnerability was responsibly disclosed to Subaru on November 20, 2024, and the company implemented a patch within 24 hours of notification. It's unclear whether the flaw has been compromised previously.

Researchers discover flaw in Subaru STARLINK onnected vehicle system