January 23, 2025 By Balaji N
A critical vulnerability in Subaru’s STARLINK connected vehicle service was discovered late last year, exposing millions of vehicles and customer accounts across the United States, Canada, and Japan to potential cyberattacks.
Subaru is known for its all-wheel-drive vehicles, high safety ratings, and strong presence in motorsports. Popular models like the Outback and Forester contribute to its top 10 U.S. sales ranking.
The security vulnerability allowed attackers to remotely access sensitive vehicle and personal data with minimal information such as a last name and ZIP code, email address, phone number, or license plate. Exploiting the flaw would have enabled malicious actors to:
- Remotely start, stop, lock, and unlock vehicles.
- Access real-time vehicle locations and retrieve detailed location histories from the past year.
- Extract customers’ personally identifiable information (PII), including addresses, billing details (partial credit card information), emergency contacts, and vehicle PINs.
- Query additional user data such as support call history, odometer readings, sales records, and more.
Map displaying 1,600 leaked coordinates from a 2023 Subaru
