Tech Talk
How Hackers Are Hijacking Cars Across the US and Canada: A Detailed Report
Security researchers have identified a critical vulnerability in Subaru’s Starlink service that could have enabled attackers to take over accounts, track vehicles, and control them remotely in the United States, Canada, and Japan.
The flaw, discovered by bug bounty hunter Sam Curry and researcher Shubham Shah on November 20, 2024, required only minimal information such as a license plate, last name, ZIP code, email, or phone number to exploit.
The vulnerability granted unauthorized access to customer accounts and vehicles, posing significant risks. Exploitation could have allowed attackers to:
- Remotely start or stop vehicles, lock and unlock doors, and retrieve real-time location data.
- Access detailed location history from the past year, accurate to within five meters.
- Extract sensitive customer information, including emergency contacts, physical addresses, billing details, and vehicle PINs.
- View miscellaneous user data, such as support call logs, odometer readings, and ownership history.
Registrations Open for FutureCrime Summit 2025: India’s Largest Conference on Technology-Driven Crime
Curry demonstrated the vulnerability in a video, showcasing how an attacker could retrieve a year’s worth of location data for a Subaru vehicle in under 10 seconds. The issue stemmed from an insecure “resetPassword.json” API endpoint in the Starlink admin portal, which allowed Subaru employees to reset accounts without requiring a confirmation token.
Once an employee account was compromised, the researchers bypassed two-factor authentication (2FA) by manipulating the portal’s user interface. They also discovered additional API endpoints, including one that enabled vehicle searches using minimal information like a last name, ZIP code, or license plate. This functionality allowed them to locate and control vehicles remotely.
Curry confirmed the vulnerability’s reach by accessing his own Subaru vehicle through the admin dashboard and later testing it with a friend’s car using only the license plate.
Subaru responded promptly to the report, patching the flaw within 24 hours. The company confirmed that the vulnerability had not been exploited maliciously.
This incident highlights the critical need for robust cybersecurity measures in connected vehicle systems. Similar vulnerabilities have been found in other automaker systems, including Kia’s dealer portal, which also exposed millions of vehicles to potential theft.
For consumers, this serves as a reminder of the importance of securing personal data and advocating for stringent cybersecurity practices in the automotive industry.
