SecurityWeek reports that all Subaru vehicles in the U.S., Canada, and Japan could be remotely hijacked in attacks exploiting a flaw in the Japanese automaker's Starlink infotainment system.
After inputting valid employee emails to infiltrate Starlink's admin panel hosted on a subarucs.com subdomain, threat actors could perform password resets, omit client-side overlay, and evade two-factor authentication to access the panel's features and determine different types of customer and vehicle information, including names, vehicle identification numbers, and location details, according to cybersecurity researcher Sam Curry, who discovered the issue with researcher Shubham Shah. Stealthy remote vehicle takeovers could also be achieved by attackers by designating themselves as authorized users of the vehicle through the control panel, said Curry, who noted that Subaru had already addressed the issue within a day of being reported in November. Such a development comes after millions of Kia vehicles were discovered by Curry to be at risk of remote hacking through a vulnerability in its owners' web portal.