Subaru Starlink Vulnerabilities Exposed Owners to Tracking and Car Control

Security researchers have discovered a vulnerability that allowed attackers to take over other people’s accounts in Subaru’s Starlink service. As a result, criminals could track, control, and even hack vehicles in the US, Canada, and Japan—sometimes knowing only the car’s license plate number.

The issue, first found in November 2024, was reported by well-known cybersecurity expert and bug hunter Sam Curry, along with independent researcher Shubham Shah. The story began when Curry bought his mother a 2023 Subaru Impreza and, as is his habit, tried to hack it.

Curry has long studied vulnerabilities in modern cars. For example, in 2022, he and his colleagues reported issues in Hyundai and Genesis mobile apps, as well as flaws in the SiriusXM smart car platform (used by Acura, BMW, Honda, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota), which allowed remote unlocking, engine start, and other actions. In 2023, Curry wrote about bugs in digital license plates using e-ink technology. In fall 2024, he detailed problems in Kia’s dealer portal that allowed remote control of key car functions, requiring only the victim’s license plate number to launch an attack.

This time, the researchers found vulnerabilities in Subaru’s web portal that allowed them to remotely unlock someone else’s car, honk the horn, and start the ignition—reassigning control of these features to any phone or computer. However, what shocked Curry most was that the flaws allowed him to track his mother’s (and other Subaru owners’) car locations. The data included not just current location, but a full history of movements for the entire year she owned the car. The map was so detailed that Curry could see when his mother visited the doctor, friends, or even which parking spot she used at church.

“You can see at least a year’s worth of location history, with the car tracked very precisely, sometimes multiple times a day,” Curry explained. “There are a million scenarios where this could be used against someone—cheating on a spouse, getting an abortion, participating in a political group, and so on.”

Curry and Shah reported that millions of other Subaru vehicles with Starlink digital features could be tracked in the same way. The root cause was vulnerabilities found on the SubaruCS.com website, intended for company employees.

By examining the site, the experts found they could reset any employee’s password by simply guessing their email address. The site asked for answers to security questions, but these were checked by code running locally in the user’s browser, not on the server, making it easy to bypass. The researchers found a Subaru Starlink developer’s email on LinkedIn, took over the account, and discovered they could use this access to search for any Subaru owner by last name, zip code, email, phone number, or license plate.

Controlling Starlink features gave access to all vehicle location data available to employees, including the car’s position every time the engine was started. A proof-of-concept video of the attack is available here.

According to the experts, these vulnerabilities increased the risk of car theft. For example, an attacker could pick a victim, find their car’s location, and unlock it at the right moment. However, to actually steal the car, the thief would still need to disable the immobilizer.

Curry and Shah were especially alarmed by the detailed historical location data available to Subaru employees. It appears Subaru collects and stores this data for years; in their test, the history was limited to the year Curry’s mother owned her Impreza. Curry called this a disturbing demonstration that the auto industry does not guarantee the privacy of drivers’ personal data.

“It’s just insane. A Google employee can’t just read all your Gmail, but in Subaru’s admin panel, there’s literally a button that lets an employee view your entire location history,” Curry said.

When the media contacted Subaru for comment, the company said the vulnerabilities found by Curry and Shah were quickly fixed in November 2024 (the researchers confirmed this) and addressed the data collection concerns.

“Subaru of America has employees who can access location data as part of their job responsibilities. All such individuals receive appropriate training and, when necessary, sign confidentiality, security, and NDA agreements. Our systems use security monitoring solutions that are constantly improved to counter modern cyber threats,” the company stated.

Subaru explained that such access and monitoring may be needed, for example, to provide vehicle location data to emergency responders in case of an accident.

Modern Cars and Privacy Concerns

It’s worth noting that in 2023, Mozilla analysts called the privacy of modern cars a “nightmare.” The organization warned that 92% of cars give owners little control over collected data, and 84% of automakers reserve the right to sell or share driver data with third parties.

Mozilla experts emphasized that nearly all cars collect vast amounts of personal data about their users and require owners to allow the collection and sale of sensitive information, such as disability status, genetic data, facial patterns, and even sexual activity data.

Source