• Send Us A Tip
  • Calling all Tech Writers
  • Advertise
Saturday, July 18, 2026
  • Login
TechStory
  • News
  • Crypto
  • Gadgets
  • Memes
  • Gaming
  • Cars
  • AI
  • Startups
  • Markets
  • How to
No Result
View All Result
  • News
  • Crypto
  • Gadgets
  • Memes
  • Gaming
  • Cars
  • AI
  • Startups
  • Markets
  • How to
No Result
View All Result
TechStory
No Result
View All Result
Home Future Tech Internet of Things

Massive Security Vulnerability in Subaru’s STARLINK System Exposed by Ethical Hackers

by Samir Gautam
January 23, 2025
in Internet of Things, News, Tech
Reading Time: 3 mins read
0
TwitterWhatsappLinkedin

On November 20, 2024, cybersecurity researchers Shubham Shah and his colleague uncovered a critical vulnerability in Subaru’s STARLINK-connected vehicle service. The discovery was made through systematic testing and analysis of Subaru’s online systems, during which the researchers identified an improperly secured endpoint, allowing unauthorized access to sensitive vehicle functions and customer data. This vulnerability provided unrestricted targeted access to vehicles and customer accounts in the United States, Canada, and Japan. The exploit required minimal information, such as the victim’s last name, ZIP code, email address, phone number, or license plate.

You might also like

NTSB: Tesla Driver Overrode Full Self-Driving Before Fatal Texas Crash

Honda to Exit U.S. EV Market in 2027 as Prologue Production Ends

Apple Widens OpenAI Trade Secret Fight With Preservation Letters To 40 Former Staff As Lawsuit Targets Hardware Theft

Potential Exploits of the Vulnerability

Using the vulnerability, a malicious actor could have:

  • Remotely started, stopped, locked, and unlocked any vehicle by exploiting Subaru’s backend systems. The system’s lack of robust validation checks allowed unauthorized commands to be issued remotely, making vehicle control accessible with minimal information. This highlights the critical importance of secure authentication protocols in preventing unauthorized access to connected systems.
  • Retrieved real-time vehicle locations and a year’s worth of location history with pinpoint accuracy.
  • Accessed sensitive customer data, including personally identifiable information (PII), emergency contacts, billing details, and vehicle PINs.
  • Extracted additional data, such as support call history, odometer readings, and previous ownership details.

Thankfully, the issue was patched within 24 hours of being reported, and there is no evidence that the vulnerability was exploited maliciously.

Location Point Neighborhood Chart and Plot
Sam Curry and Shubham Shah accessed a year’s worth of location data for Curry’s mother’s 2023 Subaru Impreza through Subaru’s employee admin portal, exploiting its security weaknesses. Screenshot Credit Sam Curry.

Proof of Concept: A Demonstration of the Exploit

The researchers provided a chilling proof of concept, demonstrating how an attacker could take control of a Subaru vehicle using just its license plate in under 10 seconds. This was possible because the license plate information served as a unique identifier that could be used to query Subaru’s backend systems without requiring further authentication. By exploiting this design flaw, attackers could gain access to sensitive vehicle controls and data with minimal effort. They also showcased the retrieval of over a year’s worth of location data from a 2023 Subaru Impreza.

Unveiling the Flaw: A Step-by-Step Breakdown

Initial Testing on the MySubaru Mobile App

The researchers began by auditing the MySubaru app, which allows users to send vehicle commands. Using tools like Burp Suite, they intercepted HTTP requests but found no immediate vulnerabilities. The app’s endpoints were secured, and authorization was robust. Realizing the app wasn’t the weakest link, they shifted their focus to other Subaru-related online systems.

Discovering the STARLINK Admin Panel

With the help of Shubham’s colleague, Shrubs, they identified a promising domain: portal.prod.subarucs.com, which appeared to be the STARLINK admin panel. Through a combination of directory brute-forcing and examining JavaScript files, they discovered an endpoint vulnerability resulting from improper input validation and a lack of token-based confirmation checks. This oversight in development allowed the resetting of employee passwords without requiring an additional layer of authentication, leaving the system vulnerable to attacks. To prevent such flaws, developers must implement rigorous validation processes, ensure the use of secure confirmation mechanisms like time-limited tokens, and regularly audit endpoints for potential misconfigurations.

Exploiting the Password Reset Endpoint

The vulnerability in the password reset system allowed the researchers to take over any employee account, provided they had the corresponding email address. By enumerating employee emails using LinkedIn and a Subaru email pattern ([first_initial][last]@subaru.com), they identified an active user. Using the password reset functionality, they successfully took control of an account.

Circumventing Two-Factor Authentication

Although the researchers gained access to an employee’s account, they encountered a custom two-factor authentication (2FA) system. They began testing methods to bypass it, though their report did not disclose the details of further exploitation.

Immediate Response by Subaru

Upon receiving the report from Shah and Shubs, Subaru’s security team acted swiftly, patching the vulnerability within 24 hours. Subaru issued a statement thanking the researchers for their responsible disclosure and ensuring customers that the vulnerability had not been exploited maliciously.

Broader Implications

This incident highlights the critical need for robust security in connected vehicle services, underscoring the necessity for industry-wide measures like advanced threat modeling, routine system audits, and adopting secure-by-design principles. Such proactive approaches can prevent similar vulnerabilities and ensure a safer ecosystem for connected vehicles. The rise of smart vehicles introduces new attack surfaces, making it imperative for automakers to regularly audit and test their systems for vulnerabilities. Ethical hackers play a crucial role in identifying flaws before malicious actors can exploit them.

Tags: SpaceX StarlinkStarlink
Tweet56SendShare16
Previous Post

Tesla to Raise Car Prices in Canada Starting February 1, 2025

Next Post

Infosys Pocharam Campus Expansion to Generate 17,000 Jobs in Hyderabad

Samir Gautam

Recommended For You

NTSB: Tesla Driver Overrode Full Self-Driving Before Fatal Texas Crash

by Samir Gautam
July 18, 2026
0
NTSB: Tesla Driver Overrode Full Self-Driving Before Fatal Texas Crash

New details released by the National Transportation Safety Board (NTSB) have shed fresh light on a fatal Tesla crash in Katy, Texas, suggesting that the vehicle's Full Self-Driving...

Read more

Honda to Exit U.S. EV Market in 2027 as Prologue Production Ends

by Samir Gautam
July 18, 2026
0
Honda to Exit U.S. EV Market in 2027 as Prologue Production Ends

Honda's electric vehicle journey in the United States is about to hit an unexpected pause. The automaker has confirmed that the Honda Prologue, its only fully electric model...

Read more

Apple Widens OpenAI Trade Secret Fight With Preservation Letters To 40 Former Staff As Lawsuit Targets Hardware Theft

by Rounak Majumdar
July 18, 2026
0
Apple Widens OpenAI Trade Secret Fight With Preservation Letters To 40 Former Staff As Lawsuit Targets Hardware Theft

Apple is not done with its legal offensive against OpenAI. One week after filing a blockbuster lawsuit in the Northern District of California accusing OpenAI and two former...

Read more
Next Post
Infosys set to receive tax refund of Rs 6,329 crores from Income Tax Department

Infosys Pocharam Campus Expansion to Generate 17,000 Jobs in Hyderabad

Please login to join discussion

Techstory

Tech and Business News from around the world. Follow along for latest in the world of Tech, AI, Crypto, EVs, Business Personalities and more.
reach us at info@techstory.in

Advertise With Us

Reach out at - info@techstory.in

Aviator Game India 2026

BROWSE BY TAG

#Crypto #howto 2024 acquisition AI amazon Apple Artificial Intelligence bitcoin Business China cryptocurrency e-commerce electric vehicles Elon Musk Ethereum facebook funding Gaming Google India Instagram Investment ios iPhone IPO Market Markets Meta Microsoft News OpenAI samsung Social Media SpaceX startup startups tech technology Tesla TikTok trend trending twitter US

© 2025 Techstory.in

No Result
View All Result
  • News
  • Crypto
  • Gadgets
  • Memes
  • Gaming
  • Cars
  • AI
  • Startups
  • Markets
  • How to

© 2025 Techstory.in

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?