Security exploit in Subaru automobile software allows hackers full access to vehicles

A security researcher uncovered a vulnerability that allowed him to track and control Subaru cars. (Image source: Subaru logo and Shutterstock, w/ edits)

A recently revealed exploit in the Starlink system used in Subaru vehicles allowed hackers to access any connected Subaru car in the United States, Canada, or Japan and add themselves as an authorized user. With this access, hackers could discover personal data of vehicle owners, remotely unlock and start or stop a car, and download a vehicle's location history over an entire year.

Sam Medley, Published 01/24/2025 🇫🇷 🇪🇸 ...

As the auto industry gets smarter and more connected, the number of security vulnerabilities grows. A new report details just how vulnerable connected cars can be.

A security researcher by the name of Sam Curry recently released a blog post detailing how he and a colleague (Shubham Shah) were able to compromise the Starlink software system used by Subaru cars. Starlink powers the infotainment center in Subaru vehicles and allows users to remotely control their registered cars, which can include remotely locking/unlocking the vehicle and starting it.

Curry explained that an exploit in the Subaru employee login page for the Starlink system allowed him to identify a valid employee email address, change the employee's password, and circumvent any kind of two-factor authentication to log in.

Once inside the Starlink system, Curry realized he could locate any registered Subaru vehicle via one of the following: a customer name, phone number, email address, or vehicle identification number (VIN). (Note that VINs can easily be found via a license plate.) Once a car was found, all of this information was ripe for the taking. Other available information included billing data, emergency contacts, and more.

Not only was this personal data easily attainable, but the vehicle's location history over the past year was also available and, according to Curry, easy to download and plot. This location data included a time stamp, the vehicle's odometer, and the GPS coordinates (accurate to within about 15 feet or 5 meters).

Perhaps most alarmingly, Curry was able to find a friend's car in the database and add his personal credentials as an authorized Starlink user to that vehicle. Once he was added, he could control the car remotely. This allowed him to lock and unlock the car, remotely start it, and determine its location. The affected Starlink user did not receive any notification that another user had been added to the car's Starlink account.

Subaru appears to have since patched the vulnerability, which Curry discovered in November 2024. To their credit, the car manufacturer issued a patch within 24 hours of receiving a report from Curry. Curry's post serves as a reminder that, as smart as our cars are, they can still be quite vulnerable to thieves and other malicious actors.

Buy a CARLOCK 4G OBD car tracker on Amazon.

Source(s)

Sam Curry

4chan has fallen: Infamous forum site taken down following major hack 04/16/2025

The founder of a supposed AI-powered checkout service has been arrested for fraud. The app allegedly relied almost entirely on human input. (Image source: Bing image generation)

AI shopping app allegedly used humans, founder charged with fraud 04/11/2025

Between these five affected apps, up to 900,000 users may have been affected (Image source: M.A.D. Mobile – edited)

Massive privacy breach in niche dating apps exposes sensitive user photos 04/01/2025

There is a new software-only hack to jailbreak the Xbox 360 (pictured). (Image source: Wikimedia w/ edits)

New software jailbreak for Xbox 360 requires only USB drive 03/18/2025

NordVPN launches new protocol to bypass VPN blockers 01/30/2025

MI5 hiring tech experts (Image source: Security Services MI5)

James Bond looking for a new Q: MI5 is hiring 01/25/2025

Kensington's Mac mini is available globally. (Image source: Kensington)

New Apple Mac mini accessory should make the mini-PC almost impossible to steal 01/24/2025

Mental health apps might turn into bigger business soon. (Image source: Headspace)

Mental health apps backed to turn into multi-billion-dollar business by 2031 01/23/2025

Major public school student information system hacked, compromising data of millions of students 01/22/2025

Supreme Court upholds law to ban TikTok from the US in the interest of national security. (Image source: TikTok)

US Supreme Court upholds TikTok ban 01/17/2025

This new Steam scam can be scary for unwary users, considering it can phish their complete login credentials. It could be especially worse if two-factor authentication isn't active. (Image source: Steam)

This legit-looking Steam phishing scam could steal your login credentials in seconds 01/16/2025

Security vulnerability in Outlook. (Image source: Imagen3)

Vulnerability in Outlook allows hackers to potentially distribute malware via email 01/16/2025

Deception via AI and a sick Brad Pitt. (Image source @TheOscarRace on X)

French woman defrauded of $850k in romance scam 01/16/2025

Wyze Cam v4 Descriptive Text (Image Source: Wyze)

Wyze cameras now use AI for descriptive text alerts 01/15/2025

The USB-C controller in the iPhone 15 and 16 has a security loophole. (Image source: Samuel Angor)

Apple iPhone: Security flaw in USB-C port could let malware access sensitive data 01/14/2025

OpenAI releases a new blueprint for its own version of AI regulation (Image source: Dall-E 3)

OpenAI unveils economic blueprint to secure U.S. AI leadership 01/14/2025

Read all 2 comments / answer

Loading Comments

Comment on this article

Cheaper Casio runners watches with ...

Doom: The Dark Ages will be strictl...

Sam Medley - Senior Tech Writer - 1465 articles published on Notebookcheck since 2016

I've been a computer geek my entire life. After graduating college with a degree in Mathematics, I worked in finance and banking a few years before taking a job as a database administrator. I started working with Notebookcheck in October of 2016 and have enjoyed writing news and reviews. I've also written for other outlets including UltrabookReview and GeeksWorldWide, focusing on consumer guidance and video gaming. My areas of interest include the business side of technology, retro gaming, Linux, and innovative gadgets. When I'm not writing on electronics or tinkering with a device, I'm either outside with my family, enjoying a decade-old video game, or playing drums or piano.

contact me via: Bluesky, LinkedIn

Please share our article, every link counts!