Safety researchers have found an arbitrary account takeover flaw in Subaru’s Starlink service that might let attackers monitor, management, and hijack autos in the USA, Canada, and Japan utilizing only a license plate.
Bug bounty hunter Sam Curry revealed on Thursday that the vulnerability was found on November 20, 2024, with the assistance of researcher Shubham Shah.
They discovered that the safety flaw gave potential attackers unrestricted focused entry to all U.S., Canadian, and Japanese buyer accounts and autos. The one necessities have been earlier data of the sufferer’s final identify and ZIP code, e mail deal with, telephone quantity, or license plate.
Amongst different issues, profitable exploitation might have allowed hackers focusing on Subaru prospects to:
- Remotely begin, cease, lock, unlock, and retrieve the present location of any automobile.
- Retrieve any automobile’s location historical past from the previous yr (correct to inside 5 meters and up to date every time the engine begins).
- Question and retrieve any buyer’s personally identifiable data (PII), together with emergency contacts, licensed customers, bodily deal with, billing data (e.g., the final 4 digits of bank cards, excluding the complete card quantity), and automobile PIN.
- Entry miscellaneous person information, together with assist name historical past, earlier homeowners, odometer studying, gross sales historical past, and extra.
Curry additionally shared a video demonstrating how the Starlink vulnerability might be exploited to get greater than a yr’s price of location information for a Subaru automobile inside simply 10 seconds.
Because the researcher defined, Subaru Starlink’s admin portal contained an arbitrary account takeover flaw found after a “resetPassword.json” endpoint allowed Subaru workers to reset their accounts with out requiring a affirmation token by getting into any legitimate worker e mail.
After taking up an worker’s account, Curry additionally needed to bypass a two-factor authentication (2FA) immediate to entry the portal. Nevertheless, this was additionally simply circumvented by eradicating the client-side overlay from the portal’s person interface.
“There were a ton of other endpoints. One of them was a vehicle search which let you query a customer’s last name and zip code, phone number, email address, or VIN number (retrievable via license plate) and grant/modify access to their vehicle,” he mentioned.
“After searching and finding my own vehicle in the dashboard, I confirmed that the STARLINK admin dashboard should have access to pretty much any Subaru in the United States, Canada, and Japan.”
The researchers additionally examined that they may carry out all of the actions listed within the portal by testing it utilizing the license plate on a pal’s Subaru automobile.
Curry says Subaru patched the vulnerability inside 24 hours of the researchers’ report and was by no means exploited by an attacker.
A gaggle of safety researchers, together with Curry, found a related safety flaw in Kia’s supplier portal, permitting hackers to find and steal thousands and thousands of Kia vehicles made since 2013 utilizing simply the focused automobile’s license plate.
