How a Subaru Security Flaw Exposed Millions of Cars to Remote Tracking and Control

2025-01-23

In an era where technology seamlessly integrates into our daily lives, the convenience of connected cars comes with hidden risks. A recent discovery by security researcher Sam Curry revealed a shocking vulnerability in Subaru’s vehicle systems, allowing millions of cars to be remotely tracked, unlocked, and even started. This breach not only exposed a full year’s worth of location history, accurate to within five meters, but also highlighted the alarming ease with which such systems can be compromised. What started as a casual agreement between a researcher and his mother turned into a stark reminder of the vulnerabilities lurking in the automotive industry.

the Vulnerability

Sam Curry, a security researcher, embarked on a mission to hack into his mother’s Subaru after promising to buy her one if he succeeded. Initially, he focused on the MySubaru Mobile App but found no flaws. Undeterred, he shifted his attention to employee-facing applications, suspecting they might have broader permissions. With the help of a friend, Curry discovered a Subaru sub-domain that required an employee login. By exploiting insecure password reset code and finding a valid employee email through a simple web search, he gained access.

The two-factor authentication (2FA) protection, which should have been a robust barrier, was easily bypassed as it ran on the client side. Once inside, Curry found a treasure trove of functionalities, including the ability to view the “Last Known Location” of any Subaru vehicle. By entering his mother’s last name and ZIP code, he accessed her car’s entire location history for the past year.

But the breach didn’t stop there. Curry and his team discovered they could remotely control any Subaru equipped with Starlink. They tested this by targeting a friend’s car, adding themselves as authorized users without the owner’s knowledge or consent. They successfully unlocked the car remotely, demonstrating the extent of their control.

Subaru acted swiftly after Curry reported the vulnerability, fixing it within a day and confirming no evidence of prior exploitation. However, Curry’s findings underscore a broader issue: the auto industry’s reliance on trust and the inherent risks of granting employees extensive access to sensitive data.

What Undercode Say:

The Subaru security breach is a wake-up call for the automotive industry, highlighting the urgent need for robust cybersecurity measures in connected car systems. Curry’s discovery reveals several critical issues that extend beyond Subaru, pointing to systemic vulnerabilities in how car manufacturers handle data and access controls.

1. Insecure Employee-Facing Systems: The breach originated from an employee-facing application with lax security measures. This is a recurring theme in many industries, where internal systems are often less fortified than customer-facing ones. The assumption that these systems are “behind the scenes” and therefore safe is a dangerous oversight.

2. Weak Authentication Mechanisms: The ease with which Curry bypassed the 2FA protection is alarming. Two-factor authentication is meant to be a second layer of defense, but its implementation in this case was flawed, running on the client side and allowing local removal. This highlights the importance of server-side security measures and rigorous testing of authentication protocols.

3. Overly Permissive Access: The ability of an 18-year-old employee to query sensitive information about any vehicle, regardless of location, is a glaring red flag. Such broad access, while convenient for employees, creates a significant risk if credentials are compromised. The principle of least privilege—granting only the minimum access necessary—should be a cornerstone of any security strategy.

4. Lack of User Notifications: Perhaps one of the most concerning aspects of the breach is that car owners were not notified when unauthorized users were added to their accounts. This lack of transparency undermines user trust and leaves them vulnerable to exploitation without their knowledge.

5. Industry-Wide Implications: Curry’s observation that his findings wouldn’t surprise others in the security industry is telling. It suggests that such vulnerabilities are not unique to Subaru but are indicative of broader issues within the auto industry. As cars become more connected, the potential attack surface grows, making it imperative for manufacturers to prioritize cybersecurity.

6. The Role of Trust: The auto industry’s reliance on trust as a security measure is inherently flawed. While trust is essential for collaboration, it cannot replace technical safeguards. Systems must be designed with the assumption that breaches will occur, incorporating layers of defense to mitigate risks.

7. The Human Factor: Employees with access to sensitive data are both a strength and a vulnerability. Proper training, strict access controls, and regular audits are essential to minimize the risk of insider threats or accidental exposure.

8. The Need for Transparency: Subaru’s swift response to Curry’s report is commendable, but the incident underscores the importance of proactive vulnerability disclosure. Manufacturers should encourage ethical hacking and establish clear channels for reporting security issues.

9. Future-Proofing Connected Cars: As the automotive industry moves toward autonomous vehicles and deeper connectivity, cybersecurity must be a top priority. This includes not only securing software but also ensuring hardware components are tamper-proof and resilient to attacks.

10. Consumer Awareness: Car owners must be informed about the risks associated with connected car systems and educated on best practices for securing their vehicles. This includes regularly updating software, using strong passwords, and monitoring account activity.

In conclusion, the Subaru breach serves as a stark reminder of the challenges facing the automotive industry in the age of connected cars. While the convenience of remote access and control is undeniable, it must be balanced with robust security measures to protect users’ privacy and safety. As technology continues to evolve, so too must the industry’s approach to cybersecurity.

Final Thoughts

The Subaru incident is not just a story about a single vulnerability; it’s a cautionary tale about the broader risks of connected systems. As cars become smarter, the stakes grow higher. Manufacturers must adopt a security-first mindset, prioritizing the protection of user data and vehicle functionality. For consumers, the lesson is clear: convenience should never come at the cost of security. The road ahead is paved with innovation, but it must also be guarded by vigilance.