Sam Curry and Shubham Shah have released a report demonstrating a now-patched vulnerability in Starlink, Subaru’s multipurpose onboard services system, that would have allowed an attacker to remotely manipulate any vehicle and exfiltrate data given the owner’s last name and “ZIP code, email address, phone number, or license plate.” The researchers accessed an employee admin portal through JavaScript flaws in the login process, and bypassed 2FA on the site by simply removing the UI overlay. Any attacker with this access could perform remote operations on the vehicle, starting or stopping the engine, locking or unlocking the doors, and tracking the vehicle’s current location and past 12 months of location history, as well as steal extensive customer PII and data about the vehicle’s status and history, all without alerting the owner. Subaru patched the flaw within 24 hours of its report. More https://samcurry.net/hacking-subaru
