A vulnerability in Subaru’s Starlink connected vehicle service provided unrestricted access to the accounts of customers in the US, Canada, and Japan, security researcher Sam Curry says. Starlink, the in-vehicle infotainment system for Subaru vehicles, provided remote functionality that could be accessed from an administrator portal that only employees should have access to. Access to the admin panel, Curry says, allowed them to view vehicle information, including historical location data, and VIN number, as well as customer information. The researchers discovered that the admin panel allowed them to grant/modify access to cars, essentially enabling vehicle takeover without any pre-requisite, and without the car owner being alerted.

Read more: https://www.securityweek.com/subaru-starlink-vulnerability-exposed-cars-to-remote-hacking/