A vulnerability in Subaru's Starlink connected vehicle service allowed unauthorized access to customer accounts in the US, Canada, and Japan, according to security researcher Sam Curry. The issue stemmed from the admin portal, which could be accessed using JavaScript files that allowed attackers to reset employee account passwords without confirmation tokens, potentially leading to account takeovers. Once inside the admin panel, attackers could view sensitive vehicle and customer data, including location history, VIN numbers, and personal contact details. The vulnerability also allowed attackers to remotely control vehicles by adding themselves as authorized users without notifying the car owner, enabling them to start, stop, lock, and unlock the vehicle. Subaru addressed the issue within 24 hours after it was reported in November 2024, marking another discovery in a series of security flaws in automotive systems that Curry and other researchers have uncovered. Continue here.
