Safety researchers have found an arbitrary account takeover flaw in Subaru’s Starlink service that might let attackers observe, management, and hijack autos in the USA, Canada, and Japan utilizing only a license plate.
Bug bounty hunter Sam Curry revealed on Thursday that the vulnerability was found on November 20, 2024, with the assistance of researcher Shubham Shah.
They discovered that the safety flaw gave potential attackers unrestricted focused entry to all U.S., Canadian, and Japanese buyer accounts and autos. The one necessities have been earlier data of the sufferer’s final identify and ZIP code, e-mail tackle, cellphone quantity, or license plate.
Amongst different issues, profitable exploitation may have allowed hackers concentrating on Subaru clients to:
- Remotely begin, cease, lock, unlock, and retrieve the present location of any automobile.
- Retrieve any automobile’s location historical past from the previous 12 months (correct to inside 5 meters and up to date every time the engine begins).
- Question and retrieve any buyer’s personally identifiable data (PII), together with emergency contacts, licensed customers, bodily tackle, billing data (e.g., the final 4 digits of bank cards, excluding the total card quantity), and automobile PIN.
- Entry miscellaneous consumer knowledge, together with help name historical past, earlier homeowners, odometer studying, gross sales historical past, and extra.
Curry additionally shared a video demonstrating how the Starlink vulnerability may very well be exploited to get greater than a 12 months’s value of location knowledge for a Subaru automobile inside simply 10 seconds.
Because the researcher defined, Subaru Starlink’s admin portal contained an arbitrary account takeover flaw found after a “resetPassword.json” endpoint allowed Subaru workers to reset their accounts with out requiring a affirmation token by getting into any legitimate worker e-mail.
After taking up an worker’s account, Curry additionally needed to bypass a two-factor authentication (2FA) immediate to entry the portal. Nonetheless, this was additionally simply circumvented by eradicating the client-side overlay from the portal’s consumer interface.
“There have been a ton of different endpoints. One in every of them was a automobile search which allow you to question a buyer’s final identify and zip code, cellphone quantity, e-mail tackle, or VIN quantity (retrievable through license plate) and grant/modify entry to their automobile,” he stated.
“After looking out and discovering my very own automobile within the dashboard, I confirmed that the STARLINK admin dashboard ought to have entry to just about any Subaru in the USA, Canada, and Japan.”
The researchers additionally examined that they might carry out all of the actions listed within the portal by testing it utilizing the license plate on a pal’s Subaru automobile.
Curry says Subaru patched the vulnerability inside 24 hours of the researchers’ report and was by no means exploited by an attacker.
A bunch of safety researchers, together with Curry, found a related safety flaw in Kia’s supplier portal, permitting hackers to find and steal thousands and thousands of Kia automobiles made since 2013 utilizing simply the focused automobile’s license plate.
