Subaru Starlink: Difference between revisions

Line 20:

===Starlink app exploit (''2025'')===

The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with [[JavaScript]] the hacker found an employee email off LinkedIn and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with JavaScript.

The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with [[JavaScript]] the hacker found an employee email off [[LinkedIn]] and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with JavaScript.

Inside the admin portal any employee can access a wide range of personal information, largely comprised of the personal information listed below. Additionally, if the employee has level 2 access, they can remotely lock, unlock, honk, issue speeding warnings and more which they demonstrated on their own and a friend's Subaru car.

@@ Line 20: / Line 20: @@
 ===Starlink app exploit (''2025'')===
-The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with [[JavaScript]] the hacker found an employee email off LinkedIn and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with JavaScript.
+The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with [[JavaScript]] the hacker found an employee email off [[LinkedIn]] and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with JavaScript.
 Inside the admin portal any employee can access a wide range of personal information, largely comprised of the personal information listed below. Additionally, if the employee has level 2 access, they can remotely lock, unlock, honk, issue speeding warnings and more which they demonstrated on their own and a friend's Subaru car.