Tech »  Topic »  Subaru Starlink Vulnerability Exposed Cars to Remote Hacking

Subaru Starlink Vulnerability Exposed Cars to Remote Hacking


A vulnerability in Subaru’s Starlink connected vehicle service provided unrestricted access to the accounts of customers in the US, Canada, and Japan, security researcher Sam Curry says.

Starlink, the in-vehicle infotainment system for Subaru vehicles, provided remote functionality that could be accessed from an administrator portal that only employees should have access to.

Together with security researcher Shubham Shah, Curry discovered that the admin panel was hosted on a subdomain of subarucs.com and, after finding JavaScript files the subdomain was using, discovered that the password for any employee’s account could be changed without a confirmation token.

“If this worked how it was written in the JavaScript, then an attacker could simply enter any valid employee email and take over their account,” Curry explains.

After identifying a valid employee email, the researchers reset the password and then removed the client-side overlay from the UI to bypass two-factor authentication ...


Copyright of this story solely belongs to securityweek . To see the full text click HERE