Independent researcher Aaron Guzman spotted eight software vulnerabilities in 2017 Subaru WRX STI which could allow unauthorized users to unlock doors, honk horns, gain vehicle location history and other issues stemming from the car's Starlink account.
Starlink is Subaru's connected in-vehicle technology which offers remote multimedia, security, and safety services. Guzman found vulnerabilities in how the vehicle's iOS and Android mobile apps and the web app communicate with Subaru's Starlink servers which when used in various combinations, could allow him to add users to a Starlink account thus granting them access to the vehicle's usage history, including location, as well as unlock doors and honk the horn, according to Data Breach Today.
The researcher spotted “perma-token problems” in The Starlink token. The Subaru mobile apps used a randomly generated token, to allow access once someone has authenticated, which should expire after a short time to prevent reuse but instead perpetually logs in Subaru users. The token is also sent over a URL and is cached in clear-text databases and never expired even after a password was changed.
As a result, a threat actor who knew the victim had a 2017 Subaru - or later - with Starlink installed could capture the token that was generated using either a cross site (XSS) scripting or a man-in-the-middle (MITM) attack.
The attacker could then add other users to an account by entering their email address who would then get emails from Subaru and are then invited to create passwords for accounts.
"They have their own account, but they also have full access to the car - the same as you," Guzman told the publication. "The owner wouldn't know. You don't get an email. You don't get a broadcast. No notifications."
Ironically, Guzman discovered the same flaw in a 2016 Subaru mobile app that allowed owners to track vehicle maintenance. Its token also didn't expire and Guzman said he reported the issue to Subaru who supposedly fixed the flaw yet the same bug appeared this year.
Charlie Miller who famously helped hack the Jeep Cherokee in 2015 told the publication that the attack would be very difficult to pull off.
"Compare this to the Jeep attack where the only requirement was the car is on,” Miller said. “It required no proximity or interaction by the victim."
The flaws were reported to Subaru in February and the automotive company has reportedly been responsive. Most of the flaws have since been patched however, Guzman said he has kept a close eye on all of the updates that have been released.
Subaru said the flaws found by Guzman "allowed him to access his own account and vehicle data," according to a statement to ISMG, and said that any risks to users “was minimal.”
Subaru currently does not have a bug bounty program.