Ethical hackers identified an arbitrary account takeover flaw in the administrator portal for Subaru’s Starlink service, which could allow a threat actor to hijack a vehicle through a Subaru employee account. This vulnerability could allow a threat actor to remotely track, unlock, and start connected vehicles. The ethical hacker reported to Subaru that they could bypass multi-factor authentication (MFA) by removing the client-side overlay from the user interface. Through various endpoints, the ethical hacker could use a vehicle search to query a consumer’s last name, zip code, telephone number, email address, or VIN number and gain access to the vehicle.

This “access” allowed the ethical hacker to:

  • Remotely start, turn off, lock, unlock, and retrieve the current location of any Subaru vehicle.
  • Retrieve a Subaru vehicle’s location history from the past 12 months, accurate to within about 15 feet.
  • Query and retrieve the personal information of any consumer, including emergency contacts, authorized users, physical address, billing information, and vehicle PIN.
  • Access other user data (e.g., support call history, previous owners, odometer reading, sales history, etc.).

The ethical hacker informed Subaru that this vulnerability could allow any threat actor to track and hijack any Subaru vehicle in the United States, Canada, or Japan. Fortunately, Subaru responded to the ethical hacker’s outreach immediately and patched the offending vulnerability within 24 hours, but this issue raises wider concerns about the motor vehicle industry. With broad access built into vehicle systems as a default, they are very difficult to secure and protect from outside threats. Manufacturers may consider security by design when building these systems and find a balance between ease of service and consumer information security.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.