Subaru’s STARLINK Vulnerability

Executive Summary

On November 20, 2024, a vulnerability was discovered in Subaru’s STARLINK vehicle service. This gave unauthorized access to sensitive user data such as Personally Identifiable Information (PII) and unauthorized remote access to any Subaru vehicle in the United States, Canada, and Japan. Although the vulnerability was patched within 24 hours of its discovery, this highlights the importance of addressing national security risks associated with U.S. connected vehicles.

Background

STARLINK is Subaru’s connected vehicle service that features multimedia, smartphone connectivity, navigation, and safety and security. However, a vulnerability in its admin portal allowed for arbitrary account takeover. Attackers could brute-force password resets without requiring confirmation tokens. The issue stemmed from the exploitation of the JavaScript files located in the “/assets/_js/” folder, with one of the files being a “login.js” file, allowing unauthorized access to a user’s account. Due to an insecure password reset and inadequate 2-factor authentication (2FA). Attackers can easily bypass these security measures using basic information, such as a user’s email address or license plate number.

Exploitation

Sam Curry, a security researcher, borrowed his mom’s 2023 Subaru Impreza and was able to hack it. With the help of his friend, Shubs, the domain of STARLINK’s admin portal was found, allowing for remote access of the vehicle. Using a password reset feature in the JavaScript files, they were able to reset the user’s password without a confirmation token. Once logged in, they bypassed the 2FA prompt by removing the client-side overlay in the user interface (UI). This gave them access to the user’s information, including their street address, billing information, car VIN number, and even the exact coordinates of the vehicle’s last known location. Users can also add themselves as an authorized user and remotely control the vehicle. This can all be done without the authorized user’s knowledge, posing safety risks, and stolen personal and financial information.

Significance and Impact

Many vehicle owners are unaware of the cybersecurity risks associated with their connected vehicles and the exposure of their personal data. Applying security measures to connected vehicle systems is crucial to protecting user privacy and safety, especially as advanced technology and connectivity make vehicles more vulnerable to cyberattacks. Many connected car system designs, such as weak authentication, improper implementation of data encryption, and delayed vulnerability fixes, increase cyber threats. 

Mitigation

Implementing mitigations to protect connected vehicle systems can reduce the risk of vulnerabilities being exploited. This includes using multi-factor authentication (MFA) to strengthen account security, avoiding default or weak passwords that are susceptible to brute-force attacks, and restricting access to trusted networks through VPNs. Additionally, disabling unused connectivity features such as location sharing or remote start and enabling automatic updates help ensure the latest security protections are in place.

Conclusion

The Subaru STARLINK vulnerability sheds light on the growing cybersecurity risks in connected vehicles. Although quickly patched, it revealed the critical flaws in authentication and security protocols, emphasizing the need for stronger safeguards. Automakers must prioritize and address ongoing cybersecurity vulnerabilities through continuous patches and updates. Consumers must follow best practices and adopt security and privacy measures to protect their vehicles and personal data.

References

[1] Curry, S. (2025, January 23). “Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel.” Samcurry.net. https://samcurry.net/hacking-subaru

[2] Subaru (n.d.). “Subaru STARLINK In-Vehicle Technology.” Subaru.com. https://www.subaru.com/vehicle-info/subaru-starlink.html

[3] Vakulov, A. (2025, January 25). “Cybersecurity Threats to Modern Cars: How Hackers Are Taking Control.” Forbes.com. https://www.forbes.com/sites/alexvakulov/2025/01/25/cybersecurity-threats-to-modern-cars-how-hackers-are-taking-control/

[4] National Cybersecurity Alliance. (2024, January 8). “Connected Car Cybersecurity: Drive Safe Online.”Staysafeonline.org. https://www.staysafeonline.org/articles/connected-car-cybersecurity-drive-safe-online