Ethical hackers Sam Curry and Shubham Shah managed to hack Subaru’s Starlink service. This gave the pair unlimited access to all vehicles and customer accounts in the U.S., Canada and Japan.
Curry explains all that was possible after they infiltrated Subaru’s system. For example, the two could remotely turn on, stop, lock, unlock and track the location of each individual vehicle. Location history for the past year could also be tracked to within an accuracy of 5 meters. Also, other sensitive customer data was up for grabs, including the last 4 digits of each credit card and the access code to their cars. Finally, the hackers could see all customer service interactions, previous owners, odometer and sales history, among other details not listed.
Quickly plugged
As befits ethical hackers, the vulnerability was reported to Subaru, which closed the leak within 24 hours. It is unknown whether ill-willing hackers ever accessed the Japanese automaker’s Starlink systems. A similar situation occurred at Volkswagen’s CARIAD in late 2024. Then, the data of 600,000 cars was available through a vulnerability. Again, ethical hackers reported the threat to the company before any public loss of data occurred.
Curry and Shah managed to find the domains and subdomains of the Subaru system with relative ease. Soon, they found that there was direct access to an admin panel, where resetting a password was child’s play. After taking over an employee account, it became possible to track the movements of individual Subaru cars over the past year. Then the pair discovered how huge the data breach they had uncovered was: as mentioned, it involved mountains of sensitive data.
Cars know a lot
Previous research by Mozilla has already shown that modern cars are privacy nightmares. An awful lot of personal data could be tracked with the information that “connected cars” pass on to their manufacturer. However, this involves data that stays within the walls of automakers and is selectively resold. Bad enough in itself, but a layer of security should prevent anyone from being able to access this data. Now it turns out what a goldmine malicious parties are facing if they can hack into an automaker’s central dashboard.
It is simply irresponsible to simply make such data immediately viewable, even with an admin account for software engineers without any kind of location-based permission required. There must be some friction between an admin and accessing non-anonymized customer data. Once again, this shows the danger of an abundance of data collection for customers. The lucky part this time is that ethical hackers were possibly ahead of their malicious counterparts, although it can never be said with certainty that this was actually the case.
Also read: Volkswagen data breach highlights major privacy risks