Cybersecurity researchers have uncovered a severe security vulnerability in Subaru‘s Starlink connected car system that potentially exposed millions of vehicles to unauthorized access and location tracking. The flaw, which required only a vehicle’s license plate number to exploit, affected Subaru vehicles across the United States, Canada, and Japan, highlighting significant privacy concerns in connected car systems.
Authentication Bypass Exposes Critical Vehicle Controls
Security experts Sam Curry and Shubham Shah identified critical flaws in the authentication system of Subaru’s corporate portal, SubaruCS.com. The vulnerability allowed attackers to bypass password reset mechanisms through client-side security question validation manipulation. Once compromised, the system granted access to vehicle owner information searchable by license plate, email, and ZIP code, creating a significant privacy breach vector.
Subaru Starlink-Equipped Vehicle Owners in US, Canada, and Japan
The vulnerability affected owners of Subaru vehicles with Starlink connectivity across the United States, Canada, and Japan — potentially millions of vehicles. Any Subaru owner whose vehicle was manufactured or sold with the Starlink telematics system enabled was at risk of unauthorized location tracking and remote control of vehicle functions. Subaru patched the vulnerability in November 2024 and implemented stricter data access protocols for employees, but the incident underscores systemic risks present across the broader connected car industry.
Extensive Impact on Vehicle Security and Privacy
The security breach enabled unauthorized parties to remotely control various vehicle functions, including door locks and engine start capabilities. Most concerning was access to detailed vehicle location histories, which logged precise coordinates every time the engine was started. This level of tracking created comprehensive movement profiles of vehicle owners, raising serious privacy implications.
Automotive Industry’s Data Privacy Challenge
According to Mozilla’s research, the incident exemplifies broader privacy concerns in the automotive sector, with 92% of modern vehicles failing to provide adequate data control to owners. The investigation revealed that 84% of manufacturers reserve the right to share collected data with third parties. Modern vehicles collect extensive personal information, including location data, biometric measurements, and health-related information, creating significant privacy risks.
Technical Impact Assessment
The vulnerability’s technical implementation exploited weaknesses in:
- Authentication workflows on the employee-facing portal
- Password reset mechanisms vulnerable to client-side bypass
- Access control systems that allowed broad data queries by license plate
- Data segregation protocols between internal employee tools and owner data
What Subaru Owners Should Do Now
- Log into your Subaru MySubaru account and review the list of authorized users and connected devices — revoke any unfamiliar access
- Check location history in the Subaru app for any unauthorized queries or anomalous activity around the time of the vulnerability disclosure
- Change your MySubaru account password and enable two-factor authentication if available
- Contact Subaru customer support if you believe your vehicle’s data was accessed without authorization
Subaru patched the vulnerabilities in November 2024 after coordinated disclosure. However, the underlying issue — that employee-facing admin panels could grant unrestricted access to vehicle location and owner PII with only an email address — reflects a pattern seen across connected vehicle platforms. Vehicle owners should check whether their manufacturer offers activity logs or access notifications, and disable telematics features they do not use.
