- Remote Hacking Risk: Subaru’s Starlink system vulnerabilities allowed unauthorized access to remotely unlock, start, and control vehicle features, posing significant security threats.
- Detailed Location Tracking: Hackers could retrieve up to a year of precise location history, exposing owners’ movements, including personal and sensitive destinations.
- Industry-Wide Concerns: Similar flaws have been identified in systems of other automakers, highlighting widespread privacy and security challenges in connected vehicles.
Security vulnerabilities in Subaru’s Starlink system exposed millions of vehicles to potential hacking, allowing attackers to unlock cars, start engines, and access precise location histories. The flaws were discovered by researchers Sam Curry and Shubham Shah, who detailed how they exploited weaknesses in Subaru’s online portal. By hijacking an employee account, they accessed tools that enabled control over vehicles and retrieved up to a year of detailed location data, mapping owner movements to an alarming degree of precision.
The researchers uncovered the vulnerabilities while testing a 2023 Subaru Impreza. They identified critical flaws, including insecure password reset mechanisms on a Subaru administrative website. This allowed them to take over employee accounts and, in turn, access private information about any vehicle connected to the Starlink system. Their findings revealed that attackers could remotely unlock vehicles, track their locations, and manipulate key features—all without owners’ knowledge or consent.
Although Subaru quickly patched the security flaws following the researchers’ report, the discovery highlights broader privacy and security concerns within the automotive industry. Curry and Shah note that similar vulnerabilities exist in systems used by many other manufacturers, potentially exposing millions of vehicles from brands such as Honda, Toyota, and BMW. These issues underscore a systemic failure in safeguarding customer data and vehicle control.
Of particular concern was Subaru’s ability to store and access extensive location histories for its vehicles. While the company claims this data is used for safety purposes, such as assisting first responders during emergencies, critics argue that the level of detail goes far beyond necessity. Privacy advocates warn that this data could be weaponized against individuals, raising serious ethical and legal questions about its collection and use.
This incident adds to growing unease over the automotive industry’s handling of user data. Reports have shown that modern cars are increasingly collecting and storing personal information without sufficient oversight. While Subaru stated that it does not sell location data, the ease with which sensitive information can be accessed raises alarms about transparency and accountability. The Subaru case serves as a stark reminder of the urgent need for stricter privacy standards and robust security measures in connected vehicles.