29 views 24 secs 0 comments

Simple STARLINK Bug Let Hackers Control Every Connected Subaru

In Vulnerabilities, News
January 25, 2025
Simple STARLINK Bug Let Hackers Control Every Connected Subaru

Security researchers gained complete control of Subaru vehicles worldwide using only basic customer information like license plates or ZIP codes

Motor Illustrated reports:

Security researchers discovered a critical vulnerability in Subaru‘s STARLINK connected vehicle service that allowed unauthorized access to vehicles and customer data across the United States, Canada, and Japan, according to a blog post published by security researcher Sam Curry on January 23, 2025. The flaw, found during Thanksgiving 2024 and patched within 24 hours, could have exposed extensive vehicle control capabilities and sensitive customer information.

Global Vehicle Access Through Admin Portal Weakness

Researchers Sam Curry and Shubham Shah identified the vulnerability in Subaru’s STARLINK admin portal on November 20, 2024. Using only basic customer information—such as a last name and ZIP code, email address, phone number, or license plate number—attackers could have gained complete access to vehicle controls and data. The system tracked vehicle locations with 5-meter accuracy, logging coordinates each time an engine started over the past year.

Read more at Motor Illustrated.