About a year ago, security researcher Sam Curry purchased a Subaru for his mother with the understanding that, at some point in the near future, she would allow him to test its security by hacking it.
It wasn’t until last November, while visiting home for Thanksgiving, that Curry began investigating the 2023 Impreza’s internet-connected features. Working alongside fellow researcher Shubham Shah online, Curry quickly uncovered vulnerabilities in Subaru’s web portal that allowed them to exploit key vehicle functions. They found they could hijack controls for unlocking the car, honking its horn, and even starting its ignition. These controls could be reassigned to any device—phone or computer—they chose.
More unsettling for Curry, however, was the ability to track the car’s location. Not only could they pinpoint its real-time position, but they could also access an entire year’s worth of location history. The detailed map of his mother’s movements revealed her doctor visits, the homes of friends, and even the exact parking spaces she used at her church.
“You can retrieve at least a year’s worth of location history for the car, where it pinged precisely, sometimes multiple times a day,” Curry explained. “Whether someone’s cheating on their spouse, getting an abortion, or part of a political group, there are endless scenarios where this could be weaponized.”
In a blog post today, Curry and Shah outlined their method for hacking and tracking millions of Subaru vehicles. They believe their findings revealed potential vulnerabilities in any Subaru equipped with Starlink digital features across the U.S., Canada, and Japan. By exploiting flaws in a Subaru web portal designed for employees, they managed to hijack an employee’s account. This gave them access to control Starlink features and retrieve detailed vehicle location data available in the employee admin portal. This included every instance the car’s engine started, as demonstrated in their video.
Subaru was notified of the vulnerabilities in late November, and the company promptly addressed the Starlink security flaws. However, Curry and Shah caution that this incident reflects a broader issue. Over the years, they and other researchers have identified similar vulnerabilities affecting more than a dozen automakers, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota, and others. They warn that it’s likely other undiscovered flaws still exist across the industry.
While Subaru quickly patched the web vulnerabilities, the researchers raised concerns about the implications of employee access to customer location data. “Even though this is patched, the functionality allowing Subaru employees to access a year’s worth of location history still exists,” Curry said.
When reached for comment by WIRED, a Subaru spokesperson acknowledged the security flaw and said: “After being notified by independent security researchers, [Subaru] discovered a vulnerability in its Starlink service that could potentially allow a third party to access Starlink accounts. The vulnerability was immediately closed, and no customer information was accessed without authorization.”
The spokesperson also confirmed that certain Subaru employees, depending on their job roles, have access to location data. They provided an example of employees using this data to assist first responders in cases of detected collisions. The company emphasized that employees undergo training and are required to sign privacy, security, and NDA agreements. They added that Subaru continuously updates its security monitoring systems to combat modern cyber threats.
In response, Curry pointed out that first responder assistance does not require a year’s worth of location history. WIRED reached out to Subaru for clarification on how long it retains customer location data, but the company did not respond.
Curry and Shah’s investigation began when they noticed Curry’s mother’s Starlink app connected to a domain called SubaruCS.com, an administrative site for employees. Upon inspecting the site for vulnerabilities, they discovered they could reset employee passwords by guessing email addresses. Although the password reset feature required answers to security questions, the answers were verified through code running in the user’s browser, not on Subaru’s server. This flaw made it easy to bypass the safeguard.
Using this method, they identified a Subaru Starlink developer’s email on LinkedIn and took over the employee’s account. This granted them access to search for Subaru customers by name, zip code, email, phone number, or license plate. Within seconds, they could reassign control of a vehicle’s Starlink features—unlocking doors, honking horns, starting engines, and tracking locations, as shown in their demonstration video.
While such vulnerabilities pose theft and safety risks, the researchers highlighted a more sinister threat. A hacker could use this data to stalk or target victims, locate vehicles, and even unlock them remotely. However, the car’s immobilizer system would still need to be bypassed to drive the vehicle away.
This incident echoes previous findings. Last summer, Curry and another researcher, Neiko Rivera, demonstrated similar vulnerabilities in millions of Kia vehicles. Over the past two years, Curry, Shah, and their team have uncovered web-based security flaws affecting major automakers, including BMW, Ferrari, Mercedes-Benz, and Toyota.
What sets Subaru’s case apart, according to the researchers, is their access to detailed historical location data spanning at least a year. While Subaru may collect even longer histories, Curry and Shah only tested the system on Curry’s mother’s car.
Curry criticized Subaru’s extensive location tracking, describing it as a glaring example of the auto industry’s inadequate privacy protections. “There’s an expectation that a Google employee can’t just go through your Gmail. Yet, Subaru’s admin panel literally has a button that lets an employee view a year’s worth of location history,” Curry remarked.
This discovery underscores growing concerns about the sheer volume of data car companies collect. In December, a whistleblower revealed that Cariad, a Volkswagen software partner, had left location data for 800,000 electric vehicles publicly accessible online. Similarly, a Mozilla Foundation report from September described modern cars as “a privacy nightmare,” citing that 92% of automakers give owners little control over collected data, and 84% reserve the right to share or sell it. Subaru stated it does not sell location data.
“While we worried about doorbells and smartwatches spying on us, car brands quietly entered the data business by turning vehicles into powerful data-gathering machines,” Mozilla’s report noted.
Curry and Shah’s findings reveal not just the potential for abuse of Subaru’s data but a broader industry-wide privacy issue. Robert Herrell, executive director of the Consumer Federation of California, described it as alarming. “It seems like Subaru employees have access to an unsettling amount of detailed information,” Herrell said. “People are being tracked in ways they don’t even realize.”
About the Author
