Full Report
A now-patched vulnerability could have enabled threat actors to remotely control Subaru cars
Analysis Summary
# Vulnerability: Arbitrary Account Takeover in Subaru Starlink Admin Portal
## CVE Details
- CVE ID: Not explicitly provided in the article.
- CVSS Score: Not explicitly provided in the article.
- CWE: Falls under broad categories like CWE-284 (Improper Access Control) or CWE-639 (ID or Key Manipulation is Possible).
## Affected Systems
- Products: Subaru Starlink in-vehicle service admin portal.
- Versions: Not specified, but the issue was related to the backend platform managing connected vehicles in the US, Canada, and Japan.
- Configurations: Any system utilizing the affected admin portal infrastructure.
## Vulnerability Description
Security researchers discovered an arbitrary account takeover flaw within the administrative portal used for managing Subaru's Starlink in-vehicle service. This vulnerability, coupled with the ability to bypass client-side MFA checks by manipulating the UI overlay, allowed an attacker who hijacked an employee account to gain privileged access. This access provided endpoints for searching vehicles (via customer PII or VIN/license plate) and managing vehicle access. Consequently, an attacker could remotely control, track, and access sensitive customer and vehicle data for virtually any Subaru vehicle managed by the system in the US, Canada, and Japan.
## Exploitation
- Status: Proof-of-Concept (PoC) established by a researcher. Not explicitly stated as "Exploited in the wild" prior to discovery.
- Complexity: Low (due to MFA bypass simplicity).
- Attack Vector: Network (accessing the administrative portal).
## Impact
- Confidentiality: High (Retrieval of PII, billing info, location history, emergency contacts, etc.).
- Integrity: High (Ability to remotely start/stop/lock/unlock vehicles).
- Availability: Medium (Ability to disrupt vehicle operation via remote commands).
## Remediation
### Patches
- Patches were deployed by Subaru within 24 hours of the researcher's outreach. Specific patch versions are not detailed in the article.
### Workarounds
- No specific technical workarounds were detailed, but the core issue appears to be fully remediated (patched) by the vendor.
## Detection
- Indicators of Compromise: Unusually high query volume against vehicle search endpoints on the administrative backend, or unexpected remote commands executed against specific vehicle VINs/accounts.
- Detection methods and tools: Monitoring administrative access logs and access patterns for anomalous employee activity targeting customer PII or vehicle control functions.
## References
- [Vendor Advisory (Implied by researcher report): Sam Curry's blog post](def://samcurry.net/hacking-subaru)
- [News Article: Infosecurity Magazine](def://www.infosecurity-magazine.com/news/subaru-bug-remote-vehicle-tracking/)