Subaru’s Starlink multimedia technology made its debut in 2016, offering a comprehensive software suite that powers everything from the infotainment system to navigation and various modern conveniences found in cars today. While these systems are beloved by many, they also present lucrative targets for hackers. With the extensive access provided by Starlink, a malicious hack could potentially cause significant damage.
Fortunately, a critical vulnerability in Starlink was discovered by ethical hacker Sam Curry. In a detailed post on his blog, Curry recounts how he and a colleague identified the issue and successfully took control of two different Subaru vehicles. Upon discovering the vulnerability, Subaru was promptly notified, and a fix was promptly implemented. A Subaru spokesperson provided a statement to Motor1, reassuring customers that the vulnerability had been closed and no accounts were compromised.
The hackers were able to exploit the loophole in Starlink, gaining administrator access and adding themselves to individual accounts. This allowed them to locate and take control of any Subaru connected to Starlink by simply entering basic information such as the owner’s last name, zip code, or license plate number. Once inside, the hackers could manipulate functions such as door locks, engine start/stop, and real-time location tracking. Additionally, they could access the vehicle’s location history for the past 12 months, as well as personal data including authorized users, addresses, and partial credit card information.
The hackers successfully demonstrated their control over a 2023 Subaru Impreza and another vehicle, all with permission from the owners. Interestingly, the blog noted that actual vehicle owners did not receive notifications when new users were added to their accounts. This discovery serves as a stark reminder of the potential dangers of living in an interconnected world.
While the vulnerability was addressed before any malicious attacks occurred, it underscores the importance of robust cybersecurity measures in modern vehicles. As technology continues to advance, automakers must prioritize security to protect both the vehicles and the personal data of their customers. Stay tuned for more updates on cybersecurity in the automotive industry.
