By Jason Yuan (Engineer, Automotive)
The security researcher Sam Curry recently published information on a vulnerability that he discovered, in November 2024 with his fellow researcher Shubham Shah, in Subaru’s in-vehicle infotainment (IVI) infrastructure. The vulnerability, which was disclosed to and fixed by Subaru in the same month, stemmed from admin systems that provided full access to customer data, vehicle controls, and historical records. These systems were publicly accessible and lacked sufficient authentication, putting a sensitive set of functions — from accessing personal information to unlocking vehicles remotely — at risk. In this article, we examine the nature of this flaw, how and why it emerged, and what it means for today’s increasingly connected vehicles.
Riding the wave of remote administration
Automotive manufacturers (OEMs) are increasingly integrating remote admin features that allow users to interact with their vehicles from anywhere, often through mobile apps or web dashboards. Subaru’s Starlink system, for example, enables functions such as remote locking or unlocking, engine start, and diagnostic checks.
The round-the-clock connectivity afforded by systems like Starlink enhances user convenience while delivering tangible benefits to OEMs, including the ability to gather real-time performance data, manage fleets more effectively, and deploy over-the-air (OTA) updates. However, the security of these systems’ admin portals does not always keep pace with the growing reliance on them.
A look under the hood
According to Curry and Shah’s discovery, Subaru left sensitive services exposed in ways that a seasoned security researcher could easily find. By performing domain fuzzing and subdomain recognition, the researchers discovered an admin portal linked to Starlink. Key scripts within this portal were publicly accessible and lacked proper security protections.
One of these scripts allowed administrators to reset passwords without requiring authentication. The only requirement was a valid admin email address, which could be found via open-source intelligence (OSINT) methods. This meant that an attacker, with a bit of OSINT skill, could reset an admin’s password and effectively take over their account.
The researchers demonstrated the severity of this vulnerability using a single license plate number. With that alone, they were able to retrieve the owner’s identity, view the vehicle’s GPS records, and even issue commands to unlock the doors.
The implications were severe. With minimal effort, an attacker could track a car’s location, collect personal data, and manipulate critical vehicle functions. Even limited access to the required privileges posed a security threat. Yet, the exposed portal offered a wide array of admin features that were never meant to be publicly accessible.
Figure 1. Attack chain summarizing how security researchers achieved full Subaru Starlink IVI system admin access
Fortunately, Subaru promptly fixed the vulnerability and the researchers confirmed that the attack could no longer be reproduced.
Securing vehicles in an increasingly interconnected world
As vehicles become increasingly connected and software-driven, their complexity and attack surface extend beyond traditional IT networks to the vehicles themselves. This interconnectedness can escalate risks, making breaches such as an administrator remotely unlocking cars or accessing sensitive data especially critical.
OEMs must strengthen automotive cybersecurity beyond consumer-facing applications by rigorously testing all back-end systems and admin portals. Regular third-party penetration testing is essential to identifying API and website security vulnerabilities.
Implementing the principle of least privilege and limiting the transmission of user data to back-end systems can help mitigate risks. Additionally, integrating these efforts with continuous monitoring across the IT security operations center (SOC) and the dedicated vehicle security operations center (VSOC) enhances automotive cybersecurity. By correlating API security events with vehicle data, OEMs can gain contextualized risk visibility, enabling more effective risk assessments and better resource allocation against emerging threats.
Stepping into the future
This case highlights how convenience can quickly become a liability when vehicle systems are not designed with security from the outset. Across the globe, standards and regulations are becoming more stringent to protect driver safety and data privacy. At the same time, emerging technologies such as autonomous driving and vehicle-to-everything (V2X) communications introduce new threats beyond traditional network or application security challenges.
In this shifting landscape, a forward-thinking approach and collaboration with security specialists help ensure that connected mobility remains innovative without compromising safety. Automotive cybersecurity must not be an afterthought: Vehicles must be safeguarded throughout their entire lifespan, from design to decommissioning, rather than relying on patching individual flaws.
