David Bridges
Subaru has exposed a significant security vulnerability that highlights critical privacy concerns in modern vehicles, even after a patch has been applied. Security researchers Sam Curry and Shubham Shah shared their findings with Wired, revealing an easily compromised employee web portal. Once they gained access to this portal, they managed to gain remote control of a test vehicle and access a year’s worth of sensitive location data. Their investigation underscores that Subaru is not an isolated case; many automotive companies exhibit weaknesses in securing vehicle data, raising alarms about the privacy of car owners.
Upon notification from the security analysts, Subaru acted swiftly to close the exploit. Thankfully, the researchers noted that unethical hackers had not exploited this vulnerability prior to the patch. However, they expressed concerns about the fact that authorized Subaru employees could still access vehicle owners’ location histories with just a single piece of information, such as the owner’s last name, zip code, email address, phone number, or license plate number.
The compromised admin portal was part of Subaru’s Starlink suite, which offers connectivity features to its vehicles. (This is unrelated to the SpaceX satellite internet service also named Starlink.) Curry and Shah gained unauthorized access by locating a Subaru Starlink employee’s email address on LinkedIn. They reset the employee’s password after successfully bypassing two required security questions because the process occurred within the end user’s web browser instead of Subaru’s secure servers. Furthermore, they circumvented two-factor authentication by executing what they described as “the simplest thing we could think of: removing the client-side overlay from the UI.”
While the researchers were able to trace the location of the test vehicle back one year, they cannot dismiss the possibility that authorized Subaru employees might access even older location data. This uncertainty arises because the test car, a 2023 Subaru Impreza purchased by Curry for his mother under the condition that he could hack it, had only been in service for about a year. The location data was precise, with an accuracy of less than 17 feet and updated with each engine start, indicating the potential for extensive tracking.
Curry reported, “After searching and finding my own vehicle in the dashboard, I confirmed that the Starlink admin dashboard should have access to pretty much any Subaru in the United States, Canada, and Japan.” To verify there were no missing security features, they reached out to a friend, who agreed to let them test her car. She provided her license plate, allowing them to access her vehicle in the admin panel and subsequently add themselves as authorized users.
The admin portal not only enabled location tracking but also allowed the researchers to remotely start, stop, lock, and unlock any Starlink-connected Subaru vehicle. Remarkably, Curry’s mother did not receive any notifications about the unauthorized access, nor was she alerted when her car was unlocked, demonstrating significant flaws in the notification systems that are supposed to protect vehicle owners.
Additionally, they were able to extract personal information from the admin portal, including emergency contacts, authorized users, home addresses, the last four digits of credit card numbers, and vehicle PINs. They could also access the owner’s support call history and information about previous owners, odometer readings, and sales history, revealing the extent of sensitive data at risk.
In a statement to Engadget, Subaru Communications Director Dominick Infante emphasized, “Subaru of America, Inc. was notified by independent security researchers of a vulnerability in its Starlink service that had the potential to allow third-party access to Starlink accounts. Subaru patched the vulnerability that same day, and no Subaru vehicles or customer data was ever accessed without authorization. The independent researchers were able to access two accounts belonging to a family member and a friend who provided them with authorization to do so.”
Subaru also clarified that its vehicles cannot be driven remotely and assured customers that the company does not sell location data. They emphasized that only certain employees have access to driver location data, and this access is granted based on job relevance.
The security researchers assert that the problems related to tracking and security are not unique to Subaru; many other automotive brands also face similar vulnerabilities. Wired reports that Curry and Shah previously uncovered analogous flaws affecting vehicles from brands including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota, and others, indicating a widespread issue across the automotive industry.
The researchers expressed deep concern about the lax security measures and location tracking practices prevalent in the automotive sector. “The auto industry is unique in that an 18-year-old employee from Texas can query the billing information of a vehicle in California, and it won’t really set off any alarm bells,” Curry noted. “It’s part of their normal day-to-day job. The employees all have access to a ton of personal information, and the whole thing relies on trust. It seems really hard to secure these systems when such broad access is built into the system by default.”
For those interested, the researchers have provided a comprehensive report detailing their findings, which is highly recommended for reading.
Update, January 24, 2025, 1:07PM ET: This article has been updated to include a statement from Subaru.
