Subaru STARLINK flaw could allow hackers to unlock cars

The automaker fixed the vulnerability within 24 hours, but the situation remains troubling

Connected cars store so much data that they resemble rolling surveillance devices. Now, researchers are disclosing a new security flaw that allowed them to access sensitive data via Subaru’s Starlink technology. While Subaru promptly fixed the issue, the incident raises troubling questions about just how private your private data really is in the age of connected vehicles.

More: Massive VW data breach exposes whereabouts of 800,000 electric car owners, from homes to brothels

Sam Curry, a security researcher you may remember from past vehicle hacks, and his team discovered the bug in November 2024 while testing a 2023 Subaru Impreza that his mother purchased for her last year. loopholes. The vulnerability gave them access to a vehicle’s complete location history – not just at one moment in time, but throughout the entire year.

talking wiredThe information was so detailed, Curry said, that he could pinpoint the doctor she saw, where her friends lived and even the exact parking spot she used each time she went to church.

“You can retrieve at least a year’s worth of a car’s location history, where it was pinpointed, sometimes multiple times a day,” Curry told the publication. “Whether someone is cheating on their wife, having an abortion or joining a political group, there are a million situations that can be used to attack someone.”

But things got worse—much worse.

Curry and fellow researcher Shubham Shah said they discovered a vulnerability in a Subaru website designed for company employees that allowed them to take over employees’ accounts. This allows them to control the vehicle’s Starlink functionality and access a wealth of personal details, including the customer’s name, emergency contacts, home address, and even the vehicle’s PIN number. They don’t stop there as they can also remotely unlock the car, start it and browse its call history. Yes, it’s that bad.

A security hole large enough to pass

Hackers don’t need supercomputers or sci-fi gadgets to do this. All they need is the victim’s last name along with the car’s license plate, the owner’s zip code, phone number or email address. The hackers would put this information into a website designed for Subaru employees to help Starlink users. They gained access to the site through a series of theory-based actions and then identified security holes in the site itself.

To its credit, Subaru no longer has this loophole. Best of all, the automaker fixed the problem in less than 24 hours after becoming aware of the situation. The hackers said they alerted Subaru to the issue at 11:54 pm on November 20. By 4pm on the 21st, the vulnerability had been fixed and the hacking attack no longer worked.

Who can you trust with your data?

At the same time, all of this raises the larger issue that private data no longer appears to be private. As Sam Curry points out websiteeven if there are no bad actors, many people still have access to this data – namely employees.

“The auto industry is unique in that an 18-year-old employee from Texas can look up billing information for a car in California and it doesn’t really set off any alarm bells,” Curry wrote. “This Employees all have access to a lot of personal information as part of their daily work, and the whole thing relies on trust.”

Robert Herrell, executive director of the Consumer Federation of California, echoed those concerns wired: “A group of Subaru employees appear to have a staggering amount of detailed information. People are being tracked in ways they don’t know about.”

It’s not just Subaru, this vulnerability and data access could be an industry-wide problem. Currently, there is no clear solution other than to completely opt out of data collection when purchasing a connected car. Of course, you’ll lose some functionality when you do this, but it might be worth it to keep prying eyes at your business.

Photo credit: Sam Curry