Ethical hackers identified an arbitrary account takeover flaw in the administrator portal for Subaru’s Starlink service, which could allow a threat actor to hijack a vehicle through a Subaru employee account. This vulnerability could allow a threat actor to remotely track, unlock, and start connected vehicles. The ethical hacker reported to Subaru that they could bypass multi-factor authentication (MFA) by removing the client-side overlay from the user interface. Through various endpoints, the ethical hacker could use a vehicle search to query a consumer’s last name, zip code, telephone number, email address, or VIN number and gain access to the vehicle.

This “access” allowed the ethical hacker to:

• Remotely start, turn off, lock, unlock, and retrieve the current location of any Subaru vehicle.
• Retrieve a Subaru vehicle’s location history from the past 12 months, accurate to within about 15 feet.
• Query and retrieve the personal information of any consumer, including emergency contacts, authorized users, physical address, billing information, and vehicle PIN.
• Access other user data (e.g., support call history, previous owners, odometer reading, sales history, etc.).

The ethical hacker informed Subaru that this vulnerability could allow any threat actor to track and hijack any Subaru vehicle in the United States, Canada, or Japan. Fortunately, Subaru responded to the ethical hacker’s outreach immediately and patched the offending vulnerability within 24 hours, but this issue raises wider concerns about the motor vehicle industry. With broad access built into vehicle systems as a default, they are very difficult to secure and protect from outside threats. Manufacturers may consider security by design when building these systems and find a balance between ease of service and consumer information security.