Subaru’s Starlink System Vulnerability Exposed Millions of Vehicles to Hacking and Tracking
Security researchers have uncovered significant vulnerabilities in Subaru’s Starlink system, exposing millions of vehicles to potential remote hacking and extensive location tracking. While Subaru denies selling location data, the findings have raised serious concerns about privacy and security in the era of connected cars.
The vulnerability came to light when security researcher Sam Curry, while exploring the internet-connected features of his mother’s 2023 Subaru Impreza during Thanksgiving, identified glaring weaknesses in the system. Curry and fellow researcher Shubham Shah discovered they could remotely control vehicle functions such as unlocking doors, starting the engine, and honking the horn.
Even more troubling was their ability to access detailed location histories. “You can retrieve at least a year’s worth of location history for the car,” Curry told Wired. “Whether someone’s attending a political rally, visiting a sensitive location, or part of a private activity, this could be weaponized in countless ways.”
Critical Security Oversights Uncovered
The researchers identified flaws in the password reset functionality on SubaruCS.com, an administrative portal meant for employees. By guessing an employee’s email address, they triggered a password reset process that revealed a critical oversight: the answers to security questions were verified by the user’s browser, not Subaru’s servers. This allowed them to bypass protections easily.
Using LinkedIn, Curry and Shah located the email address of a Subaru Starlink developer and took over the account, gaining access to sensitive customer data and control over Starlink configurations. This enabled them to retrieve personal details such as names, emails, phone numbers, license plates, and zip codes.
Additionally, the compromised account allowed the researchers to remotely control various vehicle features, reassign Starlink accounts, and access precise location data for vehicles over a yearlong period.
Subaru’s Response and Industry Implications
After being alerted to the vulnerabilities in late November, Subaru patched the flaws. A company spokesperson acknowledged that certain employees have access to vehicle location data for specific purposes, such as assisting first responders in emergencies. Subaru emphasized that employees are trained and required to sign confidentiality agreements.
However, this incident has amplified ongoing concerns about privacy in the automotive industry. The Mozilla Foundation recently reported that 92% of car manufacturers provide owners with minimal control over their collected data, while 84% reserve the right to sell or share it.
Curry and other researchers have previously identified similar vulnerabilities in systems used by other automakers, including Toyota, Honda, and Hyundai. These discoveries underscore the widespread challenges of securing connected vehicles and protecting consumer data.
As automakers increasingly integrate advanced connectivity features, experts warn that robust cybersecurity measures must be prioritized to prevent breaches that could compromise safety, privacy, and trust.
