Hacker Finds Data Vulnerability in Subaru Starlink, Enabling Remote Control Without Driver Consent

Security researcher and ethical hacker Sam Curry has claimed he discovered a cybersecurity risk in Subaru vehicles, allowing hackers to access data on owners and even remote control functions, reports The Street.

As shared in a Jan. 23 blog post, Curry and an associate were able to access Subaru’s Starlink—which powers vehicle infotainment and different safety features—through a gap in the administrator console. 

It granted them administrative access, allowing them to access the data of nearly every Subaru vehicle in the U.S., Canada, and Japan that has Starlink. By having a Subaru owner’s full name, address, license plate number, or VIN, the location data of a vehicle could be tracked for up to a year.

In addition, Curry found they could enable functions found in the MySubaru app, such as remote locking, unlocking, start-up, and shut down.

To test the limits of this, Curry reached out to a friend of his who owns a Subaru. Through being provided with only the license plate number, Curry was able to make himself an authorized user, allowing him to exert whatever functions he wanted on the car.

“Afterwards, she confirmed that she did not receive any notification, text message, or email after we added ourselves as an authorized user and unlocked her car,” wrote Curry.

Curry said he first discovered the vulnerability in November 2024, after which he made Subaru aware and the issue was patched. However, a representative with Subaru of America told The Street that Curry and his partner “received authorization from their friends and family to access their information,” and that no Starlink customer accounts had actually been compromised.

Regardless, Curry claimed that he’s seen similar data vulnerabilities from other automakers as well, including Acura, Honda, Ferrari, Hyundai, Kia, and Toyota.