HQ/EMEAFind out how we can help your business
The newly uncovered Subaru Starlink flaw is an alleged arbitrary account takeover weakness in the automobile’s Starlink service.
Reports stated that the bug could allow threat actors to use license plates to follow, control, and hijack Subaru cars in the US, Canada, and Japan. According to researchers, the flaw was identified in November last year.
During this time, they identified that the security flaw could allow potential hackers to fully target and access all US, Canadian, and Japanese client accounts and automobiles. The only requirement to execute the hack is to obtain knowledge of the target’s last name, ZIP code, email address, phone number, or license plate.
The new Subaru Starlink flaw could inflict significant compromise on numerous car owners.
The Subaru Starlink flaw could have various disastrous repercussions that can target its car owners. Investigations show that hackers might remotely control crucial car operations such as start, stop, locking, and unlocking to obtain accurate real-time whereabouts.
In addition, they could also view a complete year’s worth of location history, which was accurate to within five metres and updated with each engine start. A breach could also expose the consumers’ personally identifiable information, including sensitive details such as emergency contacts, authorised users, physical addresses, and payment information (although not complete credit card numbers).
Hackers might also gain access to a substantial amount of user data, such as support call logs, past ownership records, odometer readings, and sales histories.
Furthermore, the researcher revealed that Subaru Starlink’s admin interface featured an arbitrary account takeover weakness caused by a “resetPassword.json” API endpoint designed to allow Subaru personnel to reset their accounts using a valid email address without a confirmation token.
After taking over an employee’s account, an attack could also evade a 2FA prompt to access the site. However, the issue was readily avoided by removing the client-side overlay from the portal’s user interface.
The researchers also verified that they could carry out all the operations described in the portal using the license plate of a friend’s Subaru vehicle. Subaru has already addressed the issue within 24 hours of the researchers’ disclosure, and an attacker never exploited it.
