Full Report
Sam Curry and friends had pwned the auto industry for fun multiple times. This time, they set their eyes on Subaru. The initial tests around the main Subaru mobile app didn't lead to anything. It was well secured. After talking with Shubs about this, Shubs discovered a website that Sam hadn't seen before - subarucs.com. Upon looking at subdomains of this, they found a website that had the title STARLINK Admin Portal. Not the Elon Musk Starlink - it's the name of the Subaru in-vehicle infotainment system for remote functionality. With no login creds, it wasn't very interesting. While reading the JavaScript, they found both starlinkEnroll.js and login.js that included references to a password reset. The JavaScript used for the password reset functionality had ZERO confirmation token on it. If this functionality worked as it looked in the JS, then a single POST request could reset the password of an internal employee account. Unfortunately, this required a valid email which they didn't have - but it DID work for enumeration. This had 2FA - literally just the city you lived in. Luckily for them, the 2FA was client-side enforced only. Now, they could login with this users account with the password that they had set. On the website, they were able to track a users exact coordinates for the last year. It contained a vehicle search based on a lot of criteria as well. The panel allowed for attachment to an account without the consent of anyone. So, they used this to attachment their account to a friends car then remotely started executing commands. Wild! Two fairly simple bugs. To me, the asset discovery and reverse engineering of the web page are interesting to me. In web3, virtually everything is open source so this process is super fascinating to me.
Analysis Summary
# Vulnerability: Arbitrary Account Takeover and Unauthorized Remote Vehicle Control via STARLINK Admin Portal
## CVE Details
- **CVE ID**: Not assigned (Disclosed via coordinated vulnerability research)
- **CVSS Score**: 10.0 (Critical) - *Estimated based on total loss of vehicle control and PII exposure.*
- **CWE**:
- CWE-620: Unverified Password Change
- CWE-601: Redirection to Insecure Link
- CWE-302: Authentication Bypass by Assumed-Immutable Data (Client-side 2FA enforcement)
## Affected Systems
- **Products**: Subaru STARLINK Connected Vehicle Service / Admin Portal
- **Versions**: All versions prior to November 21, 2024
- **Configurations**: Any internet-connected Subaru vehicle (U.S., Canada, and Japan) managed via the STARLINK administrative infrastructure.
## Vulnerability Description
The vulnerability consists of a multi-stage authentication bypass within the STARLINK Admin Portal (`portal.prod.subarucs[.]com`):
1. **Broken Password Reset Logic**: The password reset functionality lacked a confirmation token or unique identifier requirement. A single unauthenticated POST request could reset the password of any valid internal employee account.
2. **Client-Side 2FA Bypass**: The portal implemented a "Security Question" (City of residence) as a secondary authentication factor. This check was enforced solely on the client-side (JavaScript), allowing attackers to bypass the requirement by intercepting/modifying the response or navigating directly to the post-auth dashboard.
3. **Insecure Administrative Permissions**: Once authenticated, the portal provided broad access to query vehicle data by license plate or VIN and allowed users to add themselves as "authorized users" to any vehicle without owner consent or notification.
## Exploitation
- **Status**: PoC available; confirmed bypassed in research environment. No evidence of exploitation in the wild.
- **Complexity**: Low
- **Attack Vector**: Network
## Impact
- **Confidentiality**: **High** - Access to 12 months of location history (5m accuracy), PII (billing info, home address), and vehicle PINs.
- **Integrity**: **High** - Ability to add unauthorized users to accounts and modify vehicle settings.
- **Availability**: **High** - Ability to remotely start/stop engines, lock/unlock doors, and potentially immobilize vehicles.
## Remediation
### Patches
- **Subaru Internal Patch (Nov 21, 2024)**: Server-side validation was implemented to fix the password reset logic and enforce 2FA on the backend.
### Workarounds
- There are no user-side workarounds as the flaw resided in the manufacturer's administrative infrastructure.
## Detection
- **Indicators of Compromise**:
- Unexpected "Authorized User" additions in the MySubaru app (though researchers noted notifications were not triggered in their PoC).
- Administrative logs showing password resets originating from unusual IP addresses.
- **Detection Methods**: Monitoring for unauthorized telematics commands (Lock/Unlock/Start) originating from the STARLINK Admin Portal rather than the customer's mobile device.
## References
- Sam Curry Blog: hxxps://samcurry[.]net/subaru-report
- Researcher Twitter: hxxps://x[.]com/samwcyo
- Subaru STARLINK Portal (Defanged): hxxps://portal.prod.subarucs[.]com/login.html