Photo: Mike | Pixabay
Millions of Subaru vehicles equipped with the company’s Starlink technology were recently found vulnerable to remote hacking, exposing their physical security and owners’ privacy. Exploited flaws in the system allowed unauthorised access to critical functions such as unlocking doors, starting engines, and tracking detailed location histories spanning up to a year.
Beyond the immediate risk of vehicle theft or unauthorised use, the ability to view a car’s precise movements raised alarming privacy concerns, revealing sensitive details like visits to medical facilities, religious institutions, and personal residences, reports Wired.
While Subaru has since patched the vulnerabilities after security researchers Sam Curry and Shubham Shah reported the incident to the company, the incident is not isolated. In the past, several car manufacturers, including Honda, Kia, Toyota, Volkswagen and Mercedes-Benz have been victims of cyber-attacks and unpatched flaws.
The researchers identified glaring flaws in Subaru’s administrative domain (SubaruCS.com). By exploiting weaknesses in the password reset process, the hackers could easily take over employee accounts. The system relied on security questions validated locally on users’ browsers instead of Subaru’s servers, allowing this safeguard to be bypassed effortlessly.

Once inside an employee account, the researchers could search for customer details such as names, license plates, or email addresses, and reassign control of vehicles’ Starlink features to any device they chose.
Beyond functionality control, the hack exposed detailed location data. Through their access to Starlink, Subaru employees could view not only a car’s current location but also its historical movements — data potentially stretching back years. Subaru confirmed that its employees can access such information to assist first responders in emergencies, but Curry pointed out that such tasks don’t require prolonged location histories.
“The thing is, even though this is patched, this functionality is still going to exist for Subaru employees,” Curry notes. “It’s just normal functionality that an employee can pull up a year’s worth of your location history.”
Car manufacturers collect loads of customers’ data and some even reserve the right to sell this information and hence even a minor flaw in their servers could potentially affect millions.
In the News: Six Asian nations take a stand against cyber scam slave camps