Full Report
Now-fixed web bugs allowed hackers to remotely unlock and start millions of Subarus. More disturbingly, they could also access at least a year of cars’ location histories—and Subaru employees still can.
Analysis Summary
# Vulnerability: Subaru Starlink Employee Portal Account Takeover Leading to Vehicle Control and Location Data Exposure
## CVE Details
- CVE ID: Not explicitly assigned in the text (Pre-disclosure findings patched quickly)
- CVSS Score: Not explicitly calculated, but implied **High** due to vehicle control and massive location data access.
- CWE: Likely related to Improper Access Control or Insecure Direct Object Reference (IDOR) combined with weak authentication/authorization controls.
## Affected Systems
- Products: Subaru vehicles equipped with Starlink digital features in the US, Canada, or Japan.
- Versions: Specific vulnerable versions of the backend administrative/employee portal were exploited. Specific vehicle model years are not listed, but the 2023 Impreza was confirmed vulnerable.
- Configurations: Vulnerability was found in the Subaru web portal intended for staff access (`SubaruCS.com`).
## Vulnerability Description
Security researchers Sam Curry and Shubham Shah discovered multiple systemic failures in a Subaru administrative web portal used by employees. The primary vulnerability allowed them to hijack an employee account. Specifically, they could reset employee passwords simply by guessing their email addresses because the security question checks were performed using client-side code (in the browser) rather than server-side validation, allowing bypass.
Gaining access to an employee account granted the researchers:
1. **Remote Vehicle Control Hijacking:** The ability to reassign control of vehicle features (unlocking, honking the horn, starting the ignition) to any chosen device.
2. **Extensive Location Data Access:** Retrieval of up to a year's worth of precise location history for affected vehicles, including detailed movement over time.
## Exploitation
- Status: **PoC available** (Researchers demonstrated the exploit to take over an account and hijack vehicle features).
- Complexity: **Low** (Exploitation relied on guessing emails and bypassing client-side validated security questions).
- Attack Vector: **Network** (Targeting the administrative web portal).
## Impact
- Confidentiality: **High** (Exposure of a year's worth of detailed location history for owners).
- Integrity: **High** (Ability to remotely control critical vehicle functions like locking/unlocking and ignition).
- Availability: **Low/Medium** (Indirect impact; disruption of service if control takeover was sustained, but not a direct Denial of Service).
## Remediation
### Patches
- Subaru confirmed they **immediately closed the vulnerability** in their Starlink service after being notified in late November. Specific patch versions were not detailed.
### Workarounds
- No explicit official workarounds were provided, as the vulnerability was patched swiftly. Researchers noted the underlying privacy concern remains: employees can still access extensive location history via legitimate (though heavily restricted) functionality in the admin panel.
## Detection
- Detection methods are not specified regarding network traffic that might indicate this specific web portal exploit.
- The primary 'indicator' identified by researchers was that the mother's Starlink app connected to the administrative domain `SubaruCS.com`.
- General detection/mitigation relies on logging all access and modification attempts to employee administrative portals.
## References
- [Researcher Blog Post on Hacking Subaru (Defanged)](https: //samcurry.net/hacking-subaru)
- [Vendor Advisory/Statement (referenced via WIRED coverage)]