Play AppSec WarGames
Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.
Hacking Subaru - The Subaru Starlink Hack
On November 20, 2024, Shubham Shah and Sam Curry discovered that Subaru’s STARLINK connected vehicle service was found to contain a critical administrative oversight that allowed attackers to remotely query, track, and control any Subaru vehicle enrolled in the system.
An employee-facing admin portal had a flawed password reset feature and a bypassable two-factor authentication mechanism. By simply knowing or enumerating an employee’s email address, attackers could reset the account credentials without confirmation, then disable the client-side 2FA prompt. With these permissions, they could add themselves as authorized users to any internet-connected Subaru, retrieve location histories for up to a year, and access customers’ personally identifiable information (PII), billing details, and more—all without alerting the car owner.
The vulnerability’s impact was broad and alarming. An attacker could remotely lock and unlock any Subaru vehicle, start or stop the engine, and track each car’s movement down to precise coordinates. Sensitive data such as contact information, physical addresses, vehicle PINs, and support history were also exposed.
Fortunately, the researchers reported the vulnerability to Subaru, who quickly patched the system within 24 hours. No malicious exploitation was detected, but the incident underscores the risks that come with broad employee privileges and poorly secured administrative tools—especially for connected automobiles that collect detailed, real-time location and vehicle data.
We made a challenge that recreated this scenario, think you can find and fix the security vulnerability?
Try it now:
Subaru.py
