Subaru recently faced a major cybersecurity breach, as security researchers discovered vulnerabilities in the company’s Starlink vehicle connectivity system. The flaws, which have now been patched, allowed unauthorized access to sensitive vehicle data, including real-time location tracking, remote control functionality, and personal customer information. The findings raise significant concerns about the security of modern connected vehicles and the broader risks within the auto industry.
A Portal Left Wide Open
Security researchers Sam Curry and Shubham Shah uncovered a glaring weakness in Subaru’s administrative web portal, which gave them access to a vast amount of vehicle data. Their investigation revealed that by exploiting a password reset loophole on a Subaru Starlink employee’s account, they could bypass security questions and two-factor authentication. Once inside, they found themselves with administrative control over Subaru’s connected cars in the U.S., U.K., and Japan.
After notifying Subaru, the company quickly patched the vulnerability. However, the researchers warn that the breach exposed serious privacy issues, as Subaru employees could still access driver location data simply by entering basic personal details—such as a name, email, phone number, ZIP code, or license plate.
Full Control Over Cars—With No Alerts to Owners
The researchers were able to:
✅ Track the real-time location of any connected Subaru within a 17-foot accuracy range
✅ Remotely start, stop, lock, and unlock vehicles
✅ Retrieve personal information including home addresses, emergency contacts, vehicle PINs, and even the last four digits of credit cards
✅ View call histories with customer service and monitor odometer readings and sales history
Shockingly, these actions could be performed without the vehicle owner receiving any notifications. In a test case, Curry and Shah added themselves as authorized users to a friend’s Subaru without her consent. No alerts were sent, and no permissions were required.
Wider Industry Concerns
In response to the findings, Subaru claimed no unauthorized access occurred beyond the security research. The company stated that its system has been updated to eliminate vulnerabilities and restrict employee access based on job relevance. However, Subaru’s statement doesn’t address the broader concern: why such a vast amount of personal data was accessible with minimal security measures in the first place.
Curry and Shah warn that Subaru is not alone in its cybersecurity failings. Similar security flaws have been found in Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota, and other automakers. These vulnerabilities highlight a disturbing trend in the auto industry, where customer trust is placed in systems that often lack proper safeguards against cyber threats.
A Wake-Up Call for the Auto Industry
The Subaru security breach serves as a critical warning for all connected car manufacturers. The ease with which hackers were able to gain administrative access raises serious concerns about how well automakers are protecting their customers. As vehicle connectivity increases, so do the risks of data leaks, remote hacking, and unauthorized surveillance.
While Subaru has patched this specific vulnerability, the auto industry as a whole must reassess its cybersecurity standards to ensure that customer privacy is not just an afterthought.
Get in Touch 
