A security flaw in Subaru vehicles enabled remote tracking, unlocking, and starting, impacting millions of cars. A year’s worth of location data was accessible, precise to within five meters…
Security researcher Sam Curry made an unusual agreement with his mother: he would purchase her a Subaru if she permitted him to attempt to hack it.
He began by searching for vulnerabilities in the MySubaru Mobile App, but his efforts were in vain. Undeterred, he continued his investigation.
Based on my previous encounters with automotive companies, I speculated there could be publicly accessible employee applications with broader permissions than their customer-facing counterparts. With this in mind, I redirected my efforts to explore other Subaru-related websites.
A colleague assisted him in uncovering a promising sub-domain. Although it required an employee login, some exploration of the Javascript directory unveiled insecure password reset code. All they needed was a valid employee email address, which they found through a quick online search. After resetting the password, they gained access.
The sole remaining hurdle was the two-factor authentication (2FA), which was surprisingly easy to override since it was client-side and could be removed locally. They were granted full access at that point.
The left sidebar featured various functions, with the most enticing labeled “Last Known Location.” I typed in my mother’s last name and ZIP code. Her vehicle appeared in the results. Curious, I clicked it and discovered her entire travel history for the past year.
They also found that they could remotely control any Subaru equipped with Starlink, testing this capability by obtaining permission to access a friend’s car.
She provided her license plate, and we accessed her vehicle in the admin panel. We then added ourselves as users of her car. After a few minutes, we confirmed that our account was created successfully.
With our newfound access, I asked them to check outside to see if anything was happening with their friend’s car. I initiated the “unlock” command, leading to this video.
Not only did they gain control of the vehicle, but the owner received no notification that an authorized user had been added to their account.
Curry reported the issue to Subaru, which resolved it by the next day and confirmed there was no evidence of any prior unauthorized access.
Perhaps the most alarming aspect of this incident is Curry’s perspective—that he found it difficult to articulate the whole situation as he doubted it would surprise most within the security field.
Most readers of this blog are already entrenched in security, so I don’t believe the password reset or 2FA bypass strategies will be new to anyone. What I found worthwhile to highlight was the significance of the bug itself and the operational mechanics behind connected car systems.
The automotive sector is distinctive in that an 18-year-old employee in Texas can access the billing records of a vehicle located in California without raising concern. This is part of their everyday responsibilities. Employees are granted access to vast amounts of personal information, and the entire framework relies heavily on trust.
It appears extremely challenging to secure these systems thoroughly when broad access is inherently integrated into the system from the outset.
Photo: Subaru. GIF via Sam Curry.
: We use income-earning auto affiliate links. More.
