Subaru Starlink Connected Services — Subaru

⚠️ The bottom line

Two security researchers accessed Subaru's admin portal and could unlock any Subaru in the country, start the engine, and pull a full year of location history — for millions of vehicles. One web vulnerability. No alarms triggered. They could track where any Subaru owner lived, worked, shopped, and slept. The "connected car" was connected to anyone who found the door. A Subaru employee used the company's vehicle tracking to stalk someone. The system let them. When researchers looked at the admin portal, they found any employee could pull a year of location data for any Subaru. No audit logs flagged the stalker. The system was designed to track — it just wasn't designed to stop the people with access from misusing it.

Legal jurisdiction

🇺🇸 United States (headquarters)

⚠CLOUD Act read more →

US govt can demand your data from this company even if stored overseas

⚠FISA §702 / PRISM read more →

NSA collects stored emails, photos, messages without individual warrants

●Geofence warrants read more →

Police can demand location data for everyone near a crime scene

Spying

2/4 MODERATE

Is someone spying on me?

Data Sharing

1/4 LOW

Who gets my data?

Security

3/4 HIGH

Is it actually secure?

Honesty

1/4 LOW

Can I trust what they say?

3Contradictions

1Critical

2High

0Medium

3Sources

Findings by concern

Spying 2/4 MODERATE 1 finding

⚡ highmarketing vs third party research

Mozilla gave Subaru its worst privacy rating. No warrant needed for police to get your data. No opt-out for location tracking. Your speed, your routes, your driving behaviour — all collected, all shareable. The safety features are real. So is the surveillance. You cannot have one without the other in a Subaru.

What they claim: Subaru promotes Starlink as enhancing driver safety with features like automatic collision notification

What we found: Mozilla's *Privacy Not Included* review gave Subaru the worst possible rating, finding the company could share data with law enforcement without a warrant, share driving data with third parties, and had no meaningful opt-out for data collection in connected vehicles. Subaru's privacy policy reserves the right to collect "geolocation, speed, and driving behaviour" data.

Security 3/4 HIGH 1 finding

⚠️ criticalmarketing vs third party research

What they claim: Subaru Starlink described as a safety and convenience platform for vehicle owners

What we found: In January 2025, security researchers Sam Curry and Shubham Shah demonstrated they could remotely access Subaru Starlink's admin portal, enabling them to unlock any Subaru, start the engine, retrieve a full year of location history, and access customer PII for millions of vehicles — all through a vulnerability in a single employee-facing web application.

Honesty 1/4 LOW 1 finding

⚡ highprivacy policy vs third party research

A Subaru employee used the company's vehicle tracking to stalk someone. The system let them. When researchers looked at the admin portal, they found any employee could pull a year of location data for any Subaru. No audit logs flagged the stalker. The system was designed to track — it just wasn't designed to stop the people with access from misusing it.

What they claim: Subaru privacy policy describes employee access to vehicle data as limited and controlled

What we found: The researchers found that Subaru employees had unrestricted access to vehicle location histories going back at least a year. A Subaru employee had previously been caught using Starlink's location tracking to stalk a person. The system retained granular location data well beyond what was necessary for any legitimate service function.

Sources

Sam Curry: Hacking Subaru Starlink (2025-01-23)
Wired: Subaru Starlink vulnerability exposed location tracking(link unavailable) (2025-01-23)
Mozilla Privacy Not Included: Subaru (2023-09-06)