A Subaru Impreza infotainment screen in close view

Ethical hacker uses Starlink to control Subaru cars from Omaha, NE

He was home visiting for Thanksgiving and decided to noodle with his mom’s Impreza.

by Sarah Kennedy

Published on February 2, 2025 5:09 am

2 min read

Just over a year ago, Sam Curry bought his mom a 2023 Subaru Impreza. The gesture came with one condition: she’d let him try to hack it. Context is important, here, as Sam’s an “ethical hacker” and helps companies and other entities find information security gaps. When he went home for Thanksgiving in November, he asked his mom for her MySubaru account login.

He didn’t get anywhere with the MySubaru App.

After attempting to bypass the MySubaru app security features several times, he failed enough to declare it “secure.”

So he kept looking around. He enlisted a colleague, Shubham Shah, to help. Curry worked on automaker information security before and knew there could be employee-facing platforms that might be accessible to the public. These often contained wider permissions than customer-facing apps.

Eventually, they located the publicly accessible subdomain for the Subaru Starlink Admin Panel

Now, keep in mind that this “Starlink” is not SpaceX’s satellite-based service. Rather, it’s Subaru’s in-brand wireless-internet-based infotainment and security subscription.

After some trial and error, Curry and Shah eventually located a JavaScript endpoint that could reset an employee’s password without a confirmation token. He just needed an employee’s email address to test it out.

The hacker searched for Subaru Starlink employees on LinkedIn

Looking at employee profiles and then Googling their names, Curry figured out that Subaru formats staff emails like this: [first_initial][last]@subaru.com.

After four attempts, they landed at a valid employee email address.

They proceeded to log in using a new password he created.

There was a final roadblock, a small security feature covering the user interface, which Curry quickly removed from the UI code. Success!

Once inside the Admin panel, he could locate his mom’s Impreza…or any Subaru in the U.S., Canada, or Japan

The colleagues found he could control the start/stop engine function, unlock and lock the doors, and see the location tracking history going back 12 months. Curry screenshotted his mom’s records in his blog. He could also look up owner addresses and parts of their billing information.

To confirm they had access to literally any Subaru with a Starlink account, Curry phoned a friend and asked her if they could hack her ride. She agreed and even filmed the pair unlocking her car remotely after she gave them just her license plate number.

Curry reported the gap to Subaru

The automaker fixed the vulnerability in less than 24 hours.

In any case, Curry’s experiment just goes to show how easily some platforms can be hacked. What else do Americans interface with that’s open to these risks?

Editor-in-Chief

Sarah Kennedy

Sarah Kennedy joined the MotorBiscuit team as managing editor in 2021 and brings with her a bevy of automotive expertise. She’s an ASE-Certified Automotive Service Consultant and licensed car salesperson with over a decade of shop operations experience.

Sarah was the creator of “Shop Smarts” for MOTOR Magazine and was a contributor from 2013 to 2020. Her work earned her a Gold Medalist award from the American Society of Business Publication Editors in 2014 and Bronze Medalist awards from the International Automotive Media Competition in 2014 and 2015.

She has attended the Automotive Management Institute and earned her bachelor’s degree in English from The Ohio State University.