
Security researchers gained complete control of Subaru vehicles worldwide using only basic customer information like license plates or ZIP codes
Motor Illustrated reports:
Security researchers discovered a critical vulnerability in Subaru‘s STARLINK connected vehicle service that allowed unauthorized access to vehicles and customer data across the United States, Canada, and Japan, according to a blog post published by security researcher Sam Curry on January 23, 2025. The flaw, found during Thanksgiving 2024 and patched within 24 hours, could have exposed extensive vehicle control capabilities and sensitive customer information.
Global Vehicle Access Through Admin Portal Weakness
Researchers Sam Curry and Shubham Shah identified the vulnerability in Subaru’s STARLINK admin portal on November 20, 2024. Using only basic customer information—such as a last name and ZIP code, email address, phone number, or license plate number—attackers could have gained complete access to vehicle controls and data. The system tracked vehicle locations with 5-meter accuracy, logging coordinates each time an engine started over the past year.
Read more at Motor Illustrated.