A cybersecurity researcher recently discovered a serious vulnerability in Subaru’s Starlink system, allowing him to remotely control vehicles across the U.S., Canada, and Japan. The ethical hacker, Sam Curry, was able to unlock doors, start and stop engines, and track vehicle locations after bypassing a security loophole in an employee-facing platform. The issue was quickly reported to Subaru, which fixed the vulnerability within 24 hours.
What is Subaru Starlink?
Subaru Starlink is the company’s connected vehicle system, offering a range of infotainment, security, and remote access features. It allows Subaru owners to lock or unlock their vehicles, start the engine remotely, and track their car’s location using the MySubaru mobile app. The system also provides emergency roadside assistance, automatic crash notifications, and stolen vehicle tracking.
Because Starlink controls key vehicle functions remotely, any security vulnerability in the system could pose a major risk, allowing unauthorized access to vehicles.
How the Hacker Gained Access
Sam Curry, a well-known ethical hacker, decided to test Subaru’s security after purchasing a 2023 Subaru Impreza for his mother. When he failed to bypass the security of the MySubaru app, he and fellow researcher Shubham Shah looked for other ways to access Subaru’s systems.
They eventually found a publicly accessible employee portal linked to the Subaru Starlink Admin Panel. A flaw in this portal allowed them to reset employee passwords without needing confirmation, as long as they had a valid company email address.
To find an active employee email, Curry searched LinkedIn profiles of Subaru staff and used a common corporate email format. After a few attempts, he successfully reset a valid employee’s password and gained full access to the Subaru Starlink Admin Panel.
Once inside, he could:
1. Locate any Subaru vehicle with a Starlink account
2. Unlock and lock doors remotely
3. Start and stop the engine
4. Access tracking history for up to 12 months
5. View partial billing details of vehicle owners
To verify the extent of their access, Curry and Shah tested it on another Subaru owned by a friend. With just her license plate number, they remotely unlocked her car, confirming the system-wide vulnerability.
Curry quickly reported the flaw to Subaru, which patched the vulnerability in less than a day. The automaker did not publicly comment on the issue, but the fix prevented any further unauthorized access.
Why This Matters
This discovery underlines the importance of strong cybersecurity measures in connected vehicles. As cars become more reliant on internet-based systems, ensuring their security is critical to preventing hacking attempts that could compromise user safety. The incident also underscores the role of ethical hackers in identifying and fixing security gaps before malicious actors exploit them.
