Subaru Starlink

Subaru Starlink
Basic Information
Release Year	2013
Product Type	Software
In Production	Yes
Official Website	https://subaru.com/

For the satellite internet service provider, see Starlink.

Starlink is a connectivity service equipped on most modern Subaru vehicles, enabling extensive data collection from the vehicle and its occupants. The service has faced significant criticism and legal challenges over privacy concerns related to its data-collection and -sharing practices.^[1]

Incidents

Obstructive advertising

Since at least 23-05-25^[2], Subaru Starlink will sometimes display whole-screen advertisements for SiriusXM in vehicles with SiriusXM functionality^[2]. Advertisements will display regardless of whether the customer purchased a SiriusXM subscription, and cannot be bypassed without explicitly pressing the close button. Normal system usage, such as GPS, media settings, or driving settings cannot be done until the advertisements are closed.

Users are only able to opt-out of this advertising if they have a SiriusXM subscription, which itself will require consent to additional telemetry from SiriusXM^[3]. Alternative recourse would involve manually uninstalling the telematics module or pulling the fuse powering the telematics module to disable connectivity. ^[4] However, this can disable front audio speakers on certain models due to the fuse powering both Starlink telematics and the front speakers^[5].

Starlink app exploit (2025)

The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with JavaScript the hacker found an employee email off LinkedIn and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with JavaScript.

Inside the admin portal any employee can access a wide range of personal information, largely comprised of the personal information listed below. Additionally, if the employee has level 2 access, they can remotely lock, unlock, honk, issue speeding warnings and more which they demonstrated on their own and a friend's Subaru car.

The incident was initially ethically disclosed to Subaru on 24-20-11 with a blog post detailing the exploit released on 25-23-01.^[6]

Data collection

Types of data collected

Subaru’s privacy policy and STARLINK terms of service specify that the following data may be collected:^[7]

Personal information
- Names, addresses, and contact details.
- Phone numbers and email addresses.
- Social-security numbers (in specific cases).
- Driver's license numbers.
- Vehicle identification numbers (VIN).
Vehicle data
- Location and GPS coordinates.
- Speed, acceleration, and braking patterns.
- Time and duration of trips.
- Maintenance and diagnostic information.
- Sensor data, such as crash severity, tire pressure, and coolant temperature.
Audio and biometric data
- Audio recordings through onboard microphones.
- Voice data from STARLINK service-center calls.
- Biometric data from systems that driver attention.
- Search content and commands issued by occupants.

Collection methods

Data collection is performed through:

Vehicle sensors and diagnostic modules.^[1]
GPS tracking systems.
Cellular-connectivity modules.
STARLINK mobile apps and web portals.^[1]

Data sharing and sales

Third-party data sharing

Subaru shares data with several entities, including:

Data brokers, such as LexisNexis^[7] and Verisk.^[8]^[9]
Insurance companies for risk assessment and pricing.^[8]
Marketing firms.
Emergency services and law enforcement (when required by law).
Subaru dealerships and distributors.
Third-party service providers.^[7]

Insurance-industry usage

Data brokers aggregate and sell this information to insurance companies, who may:

Increase insurance premiums based on driving patterns.
Monitor driving behaviors to assess risk.
Use driving data for personalized coverage offerings.^[9]

Privacy concerns

Consent issues

Key concerns include:

Simply being a passenger in a STARLINK-equipped vehicle constitutes consent.^[1]
Lack of active notification during data collection.
Limited opt-out options that might impact vehicle functionality.

Difficulties in opting out

Subaru’s opt-out process involves:

Submitting detailed personal information.
Potentially long response times.
No verification mechanism for successful opt-out.^[10]

Legal challenges

Subaru faces legal scrutiny for:

Allegations of insufficiently disclosing its data-collection policies what it does with data.
Potential non-compliance with privacy laws.
Class-action lawsuit investigations over consent practices.^[8]

Technical details

System architecture

STARLINK is built upon:

Embedded telematics devices.
4G LTE cellular networks.
GPS receivers and cloud-based data-processing systems.^[11]

Data transmission

Real-time data transmission through LTE networks.
Local storage when connectivity is unavailable.^[11]

Consumer-protection issues

Privacy rights

Critics cite:

Minimal control over data retention.
Broad sharing permissions in privacy policies.
Limited transparency about how data is used.^[1]

Economic harm

Insurance-rate adjustments based on driving data.
Subscription fees for connected services.
Potential effects on vehicle resale value.^[9]

References

↑ ^1.0 ^1.1 ^1.2 ^1.3 ^1.4 Mozilla Research (15 Aug 2023). "Mozilla Foundation Privacy Review: Subaru". foundation.mozilla.org. Archived from the original on 6 Sep 2023. Retrieved 2025-01-16.
↑ ^2.0 ^2.1 "Just die already SiriusXM". Reddit. Archived from the original on 22 Feb 2026. Retrieved 2025-11-27.
↑ "SiriusXM Help & Support Center". 2025-11-27. Archived from the original on 26 Jan 2026.
↑ "No sound in front speakers / Mic is missing (Something with Starlink plugs?) - Resolved | Subaru Crosstrek and XV Forums". Subaru Crosstrek and XV Forums. 2025-11-27. Archived from the original on 26 Jan 2026. Retrieved 2025-11-27.
↑ "Disconnecting your telematics (Starlink) antenna | Subaru Outback Forums". Subaru Outback Forums. 2020-03-02. Archived from the original on 14 May 2023. Retrieved 2025-11-27.
↑ Curry, Sam (23 Jan 2025). "Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel". samcurry.net. Archived from the original on 15 Nov 2025. Retrieved 2025-02-19.
↑ ^7.0 ^7.1 ^7.2 "Subaru Privacy Policy". subaru.com. Archived from the original on 21 Feb 2025. Retrieved 2025-01-16.
↑ ^8.0 ^8.1 ^8.2 Flierl, Denis (21 May 2024). "Vehicle Data Collection Lawsuit". torquenews.com. Archived from the original on 1 Aug 2025. Retrieved 2025-01-16.
↑ ^9.0 ^9.1 ^9.2 Hill, Kashmir (11 March 2024). "Automakers Are Sharing Drivers' Data". nytimes.com. Archived from the original on 11 Mar 2024. Retrieved 2025-01-16.
↑ "Privacy Report Discussion". subaruoutback.org. 26 Jan 2025. Archived from the original on 10 May 2025. Retrieved 2025-01-16.
↑ ^11.0 ^11.1 "Subaru STARLINK Terms and Conditions". subaru.com. Archived from the original on 8 Jul 2025. Retrieved 2025-01-16.

[MozillaReview-1] 1.0 ^1.1 ^1.2 ^1.3 ^1.4 Mozilla Research (15 Aug 2023). "Mozilla Foundation Privacy Review: Subaru". foundation.mozilla.org. Archived from the original on 6 Sep 2023. Retrieved 2025-01-16.

[:0-2] 2.0 ^2.1 "Just die already SiriusXM". Reddit. Archived from the original on 22 Feb 2026. Retrieved 2025-11-27.

[3] "SiriusXM Help & Support Center". 2025-11-27. Archived from the original on 26 Jan 2026.

[4] "No sound in front speakers / Mic is missing (Something with Starlink plugs?) - Resolved | Subaru Crosstrek and XV Forums". Subaru Crosstrek and XV Forums. 2025-11-27. Archived from the original on 26 Jan 2026. Retrieved 2025-11-27.

[5] "Disconnecting your telematics (Starlink) antenna | Subaru Outback Forums". Subaru Outback Forums. 2020-03-02. Archived from the original on 14 May 2023. Retrieved 2025-11-27.

[6] Curry, Sam (23 Jan 2025). "Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel". samcurry.net. Archived from the original on 15 Nov 2025. Retrieved 2025-02-19.

[SubaruPrivacy-7] 7.0 ^7.1 ^7.2 "Subaru Privacy Policy". subaru.com. Archived from the original on 21 Feb 2025. Retrieved 2025-01-16.

[TorqueNews-8] 8.0 ^8.1 ^8.2 Flierl, Denis (21 May 2024). "Vehicle Data Collection Lawsuit". torquenews.com. Archived from the original on 1 Aug 2025. Retrieved 2025-01-16.

[NYT-9] 9.0 ^9.1 ^9.2 Hill, Kashmir (11 March 2024). "Automakers Are Sharing Drivers' Data". nytimes.com. Archived from the original on 11 Mar 2024. Retrieved 2025-01-16.

[ConsumerForum-10] "Privacy Report Discussion". subaruoutback.org. 26 Jan 2025. Archived from the original on 10 May 2025. Retrieved 2025-01-16.

[StarlinkTerms-11] 11.0 ^11.1 "Subaru STARLINK Terms and Conditions". subaru.com. Archived from the original on 8 Jul 2025. Retrieved 2025-01-16.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]