Researcher Finds Basic Mistakes in Subaru’s Starlink Service

A researcher in California took his 2017 Subaru WRX STI for a ride on the security highway and found multiple vulnerabilities in Starlink, the in-vehicle service that offers remote activation of certain car features. The flaws could be exploited to control door locks, the lights and the horn, and to access the car’s location history.

The discoveries were made by well-known security researcher Aaron Guzman, a board member of the Open Web Applications Security Project (OWASP) and president of the Cloud Security Alliance (CSA), Southern California Chapter. His investigation revolved around the communication between the Starlink mobile (iOS, Android) and web apps with the service’s servers, which led to the discovery of eight vulnerabilities.

When poking around, Guzman learned that customer authentication on the Starlink servers is done with a token that, although randomly generated, doesn’t change and it is not properly secured. In an exclusive interview for Information Security Media Group (ISMG), the researcher said the mobile apps send the token over a URL and it’s cached in unencrypted databases. Things got worse when testing the web app because the token was included in the clear in the URL and it never changed, not even when modifying the account password.

It appears that the digital token was sufficient for Starlink servers to accept requests and execute the commands without additional verification. This allowed the researcher to add new users to the account, with the same level of access to the car as the owner. However, the owner of the account would not receive notifications that others could control the car’s remote features. “They have their own account, but they also have full access to the car – the same as you,” Guzman said to ISMG. “The owner wouldn’t know. You don’t get an email. You don’t get a broadcast. No notifications.”

To show how the token could be stolen from a Subaru owner, Guzman wrote proof-of-concept code that exploited a cross-site scripting (XSS) vulnerability, which has code from a web source executed in the context of a different web source. This method assumes interaction from the victim, but there are ways to avoid this. However, an attack would not be too easy to pull off, because of documentation needed beforehand from the attacker and prerequisites that are challenging to meet.

Guzman disclosed the vulnerabilities to Subaru in February and watched the progress the company made to patch the apps. The carmaker was responsive and fixed most of the bugs but downplayed the risks associated with the disclosure, asserting that the danger was minimal. Although Starlink has no influence on the critical systems in the car (brakes, speed control, steering), unauthorized tracking of a vehicle and unlocking it represent a serious fear for a car owner, no matter how slim the chance of it happening.