About a year ago, security researcher Sam Curry bought his mother a Subaru, with the condition that, in the near future, she would let him hack it.
It took Curry until last November, while he was home for Thanksgiving, to start looking for the 2023 Impreza’s internet-connected features and looking for tactics to exploit them. Sure enough, he and a researcher who worked with him online, Shubham Shah, temporarily discovered vulnerabilities in a Subaru Internet portal that allowed them to hijack the ability to unlock the car, honk the horn and turn on the ignition, thus reassigning the vehicle. those features to any phone or PC of your choice.
Most disturbing for Curry, though, was that they found they could also track the Subaru’s location—not merely where it was at the moment but also where it had been for the entire year that his mother had owned it. The map of the car’s whereabouts was so accurate and detailed, Curry says, that he was able to see her doctor visits, the homes of the friends she visited, even which exact parking space his mother parked in every time she went to church.
A year’s worth of knowledge of the location of Sam Curry’s mother’s 2023 Subaru Impreza, which Curry and Shah were required to access on Subaru’s worker management portal through its security vulnerabilities.
In your inbox: Get Text: Steven Levy’s Long-Term View of Technology
Discover the thousands of hijacked programs to spy on your location
Great Story: The King of Ozempic is scared to death
The “largest illicit market” ever created
Uncanny Valley: an insider’s look at the influence of Silicon Valley
More From WIRED
Reviews & Guides
© 2025 Condé Nast. All rights reserved. WIRED would possibly obtain a portion of sales from products purchased through our site as part of our partnerships with retailers. The curtains on this site may not be reproduced, distributed, transmitted, cached or otherwise used without the prior written permission of Condé Nast. Ad Options