- Researchers found a serious security vulnerability in Subaru’s Starlink system late last year.
- It enabled full access to private data including location, emergency contacts, call history, and more.
- Subaru patched the vulnerability within 24 hours but left broader privacy concerns unresolved.
Connected cars store so much data that they might as well be rolling surveillance devices. Now, researchers are opening up about a new security flaw that enabled them to access sensitive data through Subaru’s Starlink technology. While Subaru patched the issue in a timely manner, the incident raises uncomfortable questions about how private your private data really is in the age of connected vehicles.
More: Massive VW Data Leak Exposed 800,000 EV Owners’ Movements, From Homes To Brothels
Sam Curry, a security researcher you might remember from past vehicle hacks, and his team discovered the flaw in November 2024 while testing his mother’s 2023 Subaru Impreza, which he had purchased for her the previous year. The vulnerability allowed them to access the vehicle’s complete location history—not just for a single moment, but for the entire year.
Speaking to Wired, Curry said that the information was so detailed that Curry could pinpoint her doctor visits, the homes of her friends, and even the exact parking spot she used every time she went to church.
“You can retrieve at least a year’s worth of location history for the car, where it’s pinged precisely, sometimes multiple times a day,” Curry told the publication. “Whether somebody’s cheating on their wife or getting an abortion or part of some political group, there are a million scenarios where you could weaponize this against someone.”
But it gets worse—much worse.
Curry and fellow researcher Shubham Shah said they discovered weaknesses in a Subaru website designed for company staff, which enabled them to take over an employee’s account. This gave them the ability to take control of the vehicles’ Starlink features and access a trove of personal details, including the customer’s name, emergency contacts, home address, and even the vehicle’s PIN. They didn’t stop there, as they could also remotely unlock the car, start it, and browse its call history. Yes, it was that bad.
A Security Hole Big Enough to Drive Through
The hackers didn’t need a supercomputer or a sci-fi gadget to do this. All they needed was the last name of the victim along with the car’s license plate, the owner’s ZIP code, phone number, or email address. The hackers would put that information into a website designed for Subaru employees to assist Starlink users. They gained access to that site through a series of actions based on theorized and then confirmed security holes in the site itself.
To Subaru’s credit, this vulnerability no longer exists. On top of that, the automaker fixed the problem in less than 24 hours after they learned about the situation. Hackers say they alerted Subaru to the issue at 11:54 p.m. on November 20. By 4:00 p.m. on the 21st, the vulnerability was fixed and the hack no longer worked.
Who Can You Trust With Your Data?
At the same time, all of this brings up a larger point which is that private data doesn’t seem to be private anymore. As Sam Curry points out on his website, even without bad actors, plenty of people still have access to this data—namely, employees.
“The auto industry is unique in that an 18-year-old employee from Texas can query the billing information of a vehicle in California, and it won’t really set off any alarm bells,” wrote Curry. “It’s part of their normal day-to-day job. The employees all have access to a ton of personal information, and the whole thing relies on trust.”
Robert Herrell, executive director of the Consumer Federation of California, echoed the same concerns to Wired: “It seems like there are a bunch of employees at Subaru that have a scary amount of detailed information. People are being tracked in ways that they have no idea are happening.”
And it’s not just Subaru as this kind of vulnerability and data access is likely an industry-wide problem. For now, there’s no clear solution other than to completely opt out of data collection when buying a connected car. Of course, you’ll lose out on some features when doing so but it might be worth it to keep prying eyes out of your business.
