Subaru’s Security Flaws Exposed by Researchers

The investigation conducted by researchers Shah and Curry into the security vulnerabilities of Subaru began with an unexpected connection made through Curry’s mother’s Starlink app. They discovered that the app was linked to the domain SubaruCS.com, identified as a backend site for employee operations. Intrigued, they examined the site for potential security weaknesses and uncovered a grave flaw: they could reset employee passwords merely by inputting the associated email addresses.

While the password reset process required answers to two security questions, the validation of these answers occurred through code running in the user’s browser rather than on Subaru’s servers. This design flaw enabled the researchers to bypass the security checks seamlessly. Shah commented, “There were really multiple systemic failures that led to this.”

Upon identifying an email address belonging to a Subaru Starlink developer on LinkedIn, the pair successfully hijacked the account. Almost immediately, they gained access to sensitive information that allowed them to search for any Subaru owner by their last name, zip code, email address, phone number, or license plate number. This alarming level of access enabled them to reassess control over various Starlink functionalities linked to the owner’s vehicle, including the ability to remotely unlock the car, honk the horn, start the ignition, or pinpoint its location.

The implications of such vulnerabilities are significant, posing dangers related to theft and personal safety. Curry and Shah highlighted that malicious actors could feasibly track victims for stalking or thievery. They could pinpoint a vehicle’s location and unlock it at will, although a thief would need an additional method to override the car’s immobilizer system to drive it away without the proper key.

These hacking and tracking maneuvers are not isolated incidents. Last summer, Curry, alongside fellow researcher Neiko Rivera, demonstrated similar weaknesses in vehicles sold by Kia. Over the past two years, a wider collective of experts—including Curry and Shah—has revealed various web-oriented security vulnerabilities impacting numerous automotive brands such as Acura, BMW, Ferrari, Genesis, Honda, Hyundai, Infiniti, Mercedes-Benz, Nissan, Rolls Royce, and Toyota.

Source
arstechnica.com

Vulnerabilities Allow Millions of Subarus to be Remotely Unlocked and Tracked

Subaru’s Security Flaws Exposed by Researchers

Discover the New $1,900 Color E Ink Monitor on the Market!

Mark Zuckerberg Plans Premium Tier and Advertising for Meta’s AI App

Fortnite to Make iOS Comeback After Court Criticizes Apple’s “Clear Cover-Up”

Panchayat Makes History as the First Series Featured at WAVES 2025

April 30: CBS News 24/7 at 4 PM ET

Your Wait Is Finally Over: New Leak Reveals Galaxy S25 Edge Launching This Month!

Breaking news

Panchayat Makes History as the First Series Featured at WAVES 2025

April 30: CBS News 24/7 at 4 PM ET

Arrested in California: Illegal Immigrant with Weapons Conviction

Robert F. Kennedy Jr. Advocates for Placebo Testing of All New Vaccines, According to WaPo Reports

Filipino Chef Channels Skills to Support Victims of Vancouver’s Lapu Lapu Tragedy

Netanyahu Faces Pressure as Reservists Voice Opposition to Gaza War

Arjun Kapoor Responds to Shanaya Kapoor and Vikrant Massey’s Motion Poster of “Aankhon Ki Gustaakhiyan”