Skip to content
All about technology.All about cybersecurity.All about data & cloud computing.

Unauthorized Access to Subaru Starlink's Remote Control System, Retrieving Location Data, Personal Information, and More Details

Subaru's STARLINK service, a connected vehicle service, faced a severe security breach uncovered by Shubham Shah and Sam Curry on November 20, 2024. This breach granted unlimited, targeted access to vehicles and customer accounts across the US, Canada, and Japan, with just a victim's last name...

 and  Administrator
2 min read
Unauthorized Access and Manipulation of Subaru Starlink 4's Remote Control System, Tracking...
Unauthorized Access and Manipulation of Subaru Starlink 4's Remote Control System, Tracking Capabilities, and Personal Data

=================================================================================================

A significant security vulnerability was discovered in Subaru's STARLINK connected vehicle service in November 2024. The flaw allowed remote attackers to hijack vehicles and take over customer accounts using just a license plate number.

The vulnerability was demonstrated by cybersecurity researchers Shubham Shah and Sam Curry, who tracked a vehicle and added themselves as authorized users on a friend's Subaru without the customer receiving any alerts. An attacker could control vehicles remotely, starting, stopping, locking, unlocking, and retrieving the current location.

The implications of this vulnerability are severe, exposing millions of vehicles to unauthorized remote control and privacy breaches. The flaw highlights the risks inherent in connected vehicle systems that integrate telematics, user accounts, and remote vehicle controls without robust security measures.

The vulnerability enabled attackers in the US, Canada, and Japan to track, control, and remotely hack Subaru cars exposed to STARLINK's connected services. An attacker could access miscellaneous data such as support call history, previous ownership records, odometer readings, sales history, and other sensitive information. They could also retrieve over a year's worth of location history from the vehicle.

Upon examining JavaScript files from the admin panel, Curry and Shah discovered an endpoint that allowed password resets for employee accounts without requiring a confirmation token. They also enumerated employee email addresses using another endpoint and successfully reset a password to gain access to the admin panel.

Once inside the admin panel, they accessed the Last Known Location endpoint, which provided exact coordinates of a vehicle's activity over the past year. The team demonstrated the ability to take over a Subaru vehicle using only the license plate within approximately 10 seconds.

The security vulnerability was publicly disclosed around early 2025 after being found in 2024, raising serious concerns for Subaru and connected vehicle services industry-wide. It underscores the necessity for manufacturers to improve the security of their Bluetooth and connected services stacks, conduct comprehensive security reviews, and deploy patches quickly to protect consumers from remote hacking risks.

After reporting the vulnerability to Subaru, the affected system was patched within 24 hours, mitigating the issue before it was exploited maliciously. No evidence of malicious exploitation was found.

This incident is part of a broader trend of automotive cybersecurity challenges revealed in 2024-2025, involving Bluetooth stack exploits like the "PerfektBlue" vulnerability, which similarly allowed remote code execution via wireless access to the car's infotainment system with minimal user interaction.

You can read more about Sam Curry's story at samcurry.net/hacking-subaru. A video demonstration of the vulnerability can be found at https://youtu.be/0i8juy6RPBI?feature=shared.

References:

  1. PerfektBlue: A Bluetooth Stack Vulnerability in Modern Cars
  2. Subaru STARLINK Vulnerability: A Deep Dive
  3. Subaru STARLINK Vulnerability: A Case Study in Automotive Cybersecurity
  4. Subaru STARLINK Vulnerability: A Warning Sign for Connected Cars
  5. Subaru STARLINK Vulnerability: A Call to Action for the Automotive Industry
  6. The Subaru STARLINK vulnerability in 2024, discoverable by cybersecurity researchers, raised concerns about the safety of connected vehicle systems in the automotive industry, particularly those relating to data-and-cloud-computing and cybersecurity.
  7. The cybersecurity incident exposed the risk of financial implications, as an attacker could potentially access sensitive customer data such as support call history, previous ownership records, odometer readings, sales history, and other private information.
  8. Following the discovery of the STARLINK vulnerability, experts emphasized the need for the transportation sector to prioritize technology solutions, including improvements in the security of Bluetooth and connected services stacks, to protect against remote hacking threats in the global finance and automotive industry.

Read also:

    Related

    Latest

    Latest Updates in Autonomous Vehicles: Collaborations and Developments by Mercedes-Benz, Lenovo,...
    News

    Latest reports on Autonomous Vehicles: Collaboration announced between Mercedes-Benz, Lenovo, Innoviz, Waymo, and Kodiak in self-driving technology developments

    Autonomous and self-driving vehicle updates include Mercedes-Benz, Lenovo, Innoviz, Waymo, and Kodiak. Mercedez-Benz (MBZ) secures approval for Level 4 automated driving testing on designated urban roads and highways in Beijing, making it the initial international automaker to achieve such...

     and  Administrator