Security researchers have uncovered serious vulnerabilities in Subaru's Starlink system that could have allowed unauthorized access to millions of vehicles in the US, Canada, and Japan. The flaws potentially exposed vehicle locations and enabled remote control of basic functions.
Researchers Sam Curry and Shubham Shah discovered weaknesses in Subaru's administrative web portal that let them take control of vehicles' Starlink features, including the ability to unlock doors, activate horns, and start engines remotely. Most concerning was access to detailed location histories going back at least one year.
The researchers found they could reset Subaru employee passwords by simply knowing their email addresses, as security questions were processed client-side rather than server-side. This allowed them to hijack employee accounts and access customer vehicle data.
Using a compromised employee account, they could look up any Subaru owner via last name, zip code, email, phone number, or license plate to modify Starlink configurations. The location tracking was particularly detailed - showing exact parking spots and creating comprehensive maps of drivers' routines and visited locations.
While Subaru has patched these specific vulnerabilities after the researchers reported them in November, questions remain about employee access to historical location data. A Subaru spokesperson confirmed that certain employees can still access location information based on job requirements, citing emergency response needs as one use case.
The discovery highlights broader privacy concerns in the automotive industry. Recent research shows that 92% of modern vehicles offer drivers minimal control over collected data. "People are being tracked in ways that they have no idea are happening," notes Robert Herrell, executive director of the Consumer Federation of California.
Similar security issues have previously been found affecting other major automakers including Kia, BMW, Honda, Toyota and others, suggesting this may be an industry-wide challenge rather than an isolated incident.