In today’s technology-driven world, cars are more connected than ever, providing convenience but also opening the door to potential security risks. A recent revelation underscores the vulnerabilities that come with these connected vehicles.
A security researcher, Sam Curry, along with his associate Shubham Shah, unveiled how they managed to exploit the Subaru Starlink system—a platform integral to Subaru vehicles, enabling remote control features like locking, unlocking, and ignition.
Curry and Shah discovered a critical flaw in the Subaru employee login page related to the Starlink software. This flaw allowed them to pinpoint a valid employee email address, reset the password, and bypass two-factor authentication. Once they gained access, they realized the extent of their infiltration. They could track any registered Subaru car using basic information such as a customer’s name, phone number, email, or even a vehicle identification number (VIN), which is sometimes accessible via a license plate.
The breach exposed an array of sensitive data: billing information, emergency contacts, and even the vehicle’s location history from the past year. Disturbingly, Curry could retrieve precise location coordinates, complete with time stamps and odometer readings.
Perhaps most concerning was Curry’s ability to add himself as an authorized user in the system for a friend’s car. This enabled him to control the car remotely—locking, unlocking, starting the ignition—and monitor its whereabouts, without the actual owner receiving any alert of the added user.
Following Curry’s discovery in November 2024, Subaru swiftly addressed the vulnerability by issuing a patch within 24 hours of the report—a commendable response time. However, this incident highlights a broader issue: as technologically sophisticated as our cars become, they remain susceptible to threats from hackers and other malevolent entities.
This serves as a vital reminder of the need for stringent security measures in the ever-evolving world of connected automobiles. With the conveniences of modern technology, it is crucial to remain vigilant about potential vulnerabilities that could compromise personal data and vehicle security.
