Research from Shubham Shah and Sam Curry reveals Subaru’s STARLINK connected vehicle service contains a vulnerability that permits unrestricted, targeted access to all user accounts and vehicles in the United States, Canada, and Japan.
By exploiting this vulnerability, a malicious actor could obtain sensitive data and control if they also had the victim’s surname and ZIP code, phone number, email address, or license plate. With the listed information, a malicious actor could:
- Retrieve the location of a vehicle
- Remotely lock, unlock, start or stop a vehicle
- Obtain a vehicle’s location history from the past year
- Retrieve miscellaneous data (such as odometer reading, previous owners, call history, sales history, and more)
Josh Jacobson, Director of Professional Services at HackerOne, discusses the vulnerability in greater depth. “Researchers Shubham Shah and Sam Curry identified hardcoded credentials within JavaScript files and then allowed them to replace employee email addresses, reset passwords without confirmation tokens, and bypass 2FA by modifying the UI, thus giving them access to the admin panel. Once inside the admin panel they essentially gained ‘God Mode’ access, enabling them to search for any STARLINK-connected vehicle. How was all of this possible without notice? Hard-coded credentials, lack of end-user notifications for account changes, and weak security between application and vehicle communication.”
Jacobson adds, “The vulnerability emphasizes a big issue with interconnected vehicles. They often rely on the outdated CAN bus protocol, which was designed in the 1980s without security in mind. CAN bus doesn’t have any encryption or authentication mechanisms built in, leaving it vulnerable to exploitation once at that layer.”
This access could also allow a malicious actor to find personally identifiable information (PII) of users, including authorized users, emergency contacts, physical addresses, billing information, and vehicle PIN numbers. Clyde Williamson, Senior Product Security Architect at Protegrity, offers insights on the risks this exposed data could present.
“This data definitely makes it easier for hackers to determine who you are and where you’ve been. It can also tell hackers where your friends and family are, it can tell them where to look for medical information, or it could even give them small personal details they can then use in social engineering attacks,” Williamson states. “A car’s data might be more than enough information to sell to somebody who will call and try to scam your grandma out of money by saying you were in an accident, or any number of personal emergencies.
“Customers don’t typically know of these risks when they’re just trying to purchase a safe, modern vehicle, and this just goes to show how expansive attack surfaces can truly be. Is this data being properly secured by these car manufacturers — both against external and internal threats?
“My guess is no, and they need to immediately look into data protection strategies like encryption and tokenization that can render data useless to attackers and insider threats, making it impossible to steal and use maliciously.
“Over the last few years, we’ve seen several examples of regulatory failure when it comes to data privacy. The consistency in which incredibly sensitive customer data — data that they may not know they’re giving — has been stolen is concerning. Whether or not this was such a case, shady data collection practices where customers aren’t told or worse, the information is buried in terms and conditions, just emphasizes the need for better legislation and better company buy-in to data security.”
