Get the latest tech news
Hacking Subaru: Tracking and controlling cars via the admin panel
On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK admin panel that gave us unrestricted access to all vehicles and customer accounts in the United States, Canada, and Japan.
Using the access provided by the vulnerability, an attacker who only knew the victim’s last name and ZIP code, email address, phone number, or license plate could have done the following: Retrieving street address, phone number, email, emergency contacts, authorized users, and billing information of any Subaru STARLINK customer. We wanted to confirm that there was nothing we were missing, so we reached out to a friend and asked if we could hack her car to demonstrate that there was no pre-requisite or feature which would’ve actually prevented a full vehicle takeover.
Or read this on Hacker News
/cdn.vox-cdn.com/uploads/chorus_asset/file/25619781/IMG_5234.jpeg)