A security flaw in Subaru vehicles enabled the remote tracking, unlocking, and starting of millions of cars. Remarkably, a complete year’s worth of location data was accessible, accurate within five meters…
Security researcher Sam Curry struck a unique agreement with his mother: he would purchase her a Subaru if she allowed him to attempt to hack it.
Initially, he searched for vulnerabilities within the MySubaru Mobile App but found no issues. He didn’t halt his efforts there, though.
Based on my previous experiences with automotive companies, I anticipated the existence of publicly available employee-focused applications that might hold broader permissions than those available to customers. With this in mind, I redirected my focus towards exploring other Subaru-related websites for potential vulnerabilities.
A friend assisted him in discovering a suspicious sub-domain that required employee login credentials. However, after some exploration of a JavaScript directory, they uncovered insecure password reset code. All they needed was a legitimate employee email address, which they located through a simple web search. They reset the password and consequently gained access.
The final obstacle was two-factor authentication (2FA), which turned out to be easy to bypass since it operated on the client side and could be disabled locally. Once past that hurdle, they were in.
The left sidebar contained a plethora of functionalities, but the most enticing was “Last Known Location”. I inputted my mom’s surname and ZIP code. Her car appeared in the search results. Upon clicking, I could view all the locations my mom had traveled to over the past year.
It appeared they also had the ability to take control of any Subaru equipped with Starlink. They verified this by obtaining permission to target a friend’s vehicle.
She provided us with her license plate, we pulled up her vehicle in the admin interface, then proceeded to add ourselves as authorized users for her car. After a few minutes, we confirmed that our account had been successfully created.
With access established, I inquired if they could check outside to see if anything was occurring with the car. I sent the “unlock” command, and they sent us this video.
Not only did they have control over the vehicle, but the owner did not receive any notification that an authorized user had been added to their account.
Curry reported the vulnerability to Subaru, which resolved the issue by the following day, also confirming that there were no indications of any unauthorized access.
Perhaps the most alarming aspect of this narrative is Curry’s realization—that he found it challenging to write about these findings, as he believed they would not astonish fellow security professionals.
Most readers of this blog are in the security field, so I truly doubt that the methods utilized for the password reset or 2FA circumvention are novel to anyone. What I found worth sharing was the severity of the vulnerability itself and the underlying mechanics of connected car systems.
The auto industry is distinct in that an 18-year-old employee from Texas can access the billing details of a car located in California without triggering any alarms. It is simply part of their routine tasks. Employees have access to extensive personal information, relying heavily on trust.
It appears quite challenging to adequately secure these systems when such wide access is inherently built into the system by design.
Image: Subaru. GIF courtesy of Sam Curry.
FTC: We utilize income-generating auto affiliate links. More.
