Subaru vulnerability exposed millions of cars to remote hacking and tracking

Skye Jacobs

Posts: 2,010   +58
Staff
A hot potato: Security researchers have uncovered alarming vulnerabilities in Subaru's Starlink system, potentially exposing millions of vehicles to unauthorized access and extensive location tracking. While Subaru has said that it doesn't sell location data, the potential for misuse is a significant concern.

The discovery began when Sam Curry, having purchased a 2023 Impreza for his mother, decided to examine its internet-connected features during a Thanksgiving visit.

Curry and fellow researcher Shubham Shah found they could hijack control of various vehicle functions, including unlocking doors, honking the horn, and starting the ignition. However, what Curry found most disturbing was the ability to access detailed location history. "You can retrieve at least a year's worth of location history for the car, where it's pinged precisely, sometimes multiple times a day," Curry told Wired. He added, "Whether somebody's cheating on their wife or getting an abortion or part of some political group, there are a million scenarios where you could weaponize this against someone."

The researchers began by identifying a weakness in the password reset functionality on the SubaruCS.com site, an administrative portal intended for Subaru employees. By simply guessing an employee's email address, they could initiate a password reset process, exposing a critical flaw in the system's design.

Further investigation revealed that while the site did ask for answers to two security questions during the reset process, these were verified using client-side code running in the user's browser rather than on Subaru's servers. This oversight allowed the researchers to easily bypass the security questions, highlighting a significant lapse in the company's cybersecurity measures. "There were really multiple systemic failures that led to this," Shah told Wired.

Curry and Shah then used LinkedIn to locate the email address of a Subaru Starlink developer, exploiting the vulnerabilities to take over this employee's account, which granted them access to sensitive information and controls. The compromised account allowed the pair to look up any Subaru owner using various personal identifiers such as last name, zip code, email address, phone number, or license plate.

Moreover, they discovered that they could access and modify Starlink configurations for any vehicle, as well as reassign control of Starlink features. This included the ability to remotely unlock cars, honk horns, start ignitions, and locate vehicles.

Most alarmingly, Curry and Shah gained access to detailed location histories of vehicles, with data going back at least a year. "You can retrieve at least a year's worth of location history for the car, where it's pinged precisely, sometimes multiple times a day," Curry explained to Wired.

Subaru quickly patched the security flaws after the researchers reported their findings in late November. However, the incident raises broader concerns about privacy and data security in the automotive industry. The researchers warn that similar vulnerabilities likely exist in other automakers' systems.

A Subaru spokesperson confirmed to Wired that certain employees can access location data, stating that it's necessary for purposes such as sharing vehicle location with first responders in case of collisions. "All these individuals receive proper training and are required to sign appropriate privacy, security, and NDA agreements as needed," the company said. It also said it doesn't sell location data.

The discovery is part of a larger trend of security vulnerabilities in connected vehicles. Curry and other researchers have previously identified similar issues affecting multiple car manufacturers, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, and Toyota.

This incident underscores the growing privacy concerns surrounding modern vehicles. A recent report by the Mozilla Foundation highlighted that 92 percent of car manufacturers give owners little to no control over collected data, and 84 percent reserve the right to sell or share this information.

Permalink to story:

 
"You can retrieve at least a year's worth of location history for the car, where it's pinged precisely"

No, you cannot.

Not if one owns a car from the 2000's or older.

What do you need a car with an onboard PC for anyway?
 
"You can retrieve at least a year's worth of location history for the car, where it's pinged precisely"

No, you cannot.

Not if one owns a car from the 2000's or older.

What do you need a car with an onboard PC for anyway?

-Problen is it's not really a question of "want" anymore because a lot of this crap is standard.

I want a car that is all buttons and knobs, no LCD screen shenanigans, but still offers Bluetooth functionality.

I don't think that I can go out and buy a car like that new today.
 
-Problen is it's not really a question of "want" anymore because a lot of this crap is standard.

I want a car that is all buttons and knobs, no LCD screen shenanigans, but still offers Bluetooth functionality.

I don't think that I can go out and buy a car like that new today.

Ηate to break it to you, but cars with, uh "bluetooth functionality" have been available since at least year 1999. You could retro-fit a 1999 car with "bluetooth functionality".

Get out from that cave, man.

I own a year 2002 automobile with full "bluetooth functionality" and it never "rats" on me.
 
Ηate to break it to you, but cars with, uh "bluetooth functionality" have been available since at least year 1999. You could retro-fit a 1999 car with "bluetooth functionality".

Get out from that cave, man.

I own a year 2002 automobile with full "bluetooth functionality" and it never "rats" on me.

-I mean I know I'm responding to a stranger on the internet so this conversation is really only going to go one way, but if your solution to this issue is buying 20+ year old "vintage" cars, it's not really a solution at all.

There is a limited and ever dwindling supply of those.

But yeah, I enjoyed my rusty ancient 2000's era ES300. What a car. Too bad the thing eventually accumulated enough issues that it was no longer worth fixing...
 
"You can retrieve at least a year's worth of location history for the car, where it's pinged precisely"

No, you cannot.

Not if one owns a car from the 2000's or older.

What do you need a car with an onboard PC for anyway?
This is nonsensical. You CAN track many current cars and mumbling about the 2000s doesn't change that fact. And 25+ year old cars have plenty of age-related issues so that is not a real solution.

Motorcycles still let the owner control the inputs and don't leak data, but they are less fun on rainy or cold days.
 
Cars are just a more expensive example of the lack of privacy/security.

EVERYTHING that is sold nowadays has the potential to leak your data - from your computer, to your dishwasher to your oven... anything that is sold as "smart" or has any connection to the internet probably has lousy security...

Instead of fighting it - it's better to simply accept that EVERYTHING you have will be available to EVERYONE eventually. Better to monitor the important stuff and realize that privacy is dead.
 
Ηate to break it to you, but cars with, uh "bluetooth functionality" have been available since at least year 1999. You could retro-fit a 1999 car with "bluetooth functionality".

Get out from that cave, man.

I own a year 2002 automobile with full "bluetooth functionality" and it never "rats" on me.
Funny how you omitted 90% of what he said he wants and doesn't want from today's cars and you only fixated yourself on the word "Bluetooth"

Next time try to read the entire comment.
 
Instead of fighting it - it's better to simply accept that EVERYTHING you have will be available to EVERYONE eventually. Better to monitor the important stuff and realize that privacy is dead

Yes, it is certainly better or at least more practical to be aware that it is a possibility/probability and plan accordingly. But I don't agree on the accept part. Tech moves a lot faster than policy but I'm hoping policy will eventually catch up.

Here, I could see a not that distant future where car reviews included a discussion of the manufacturer's data practices. A recent similar example is how car manufacturers thought for a bit they could avoid supporting CarPlay and AndroidAuto, until those omissions began being surfaced as a top level comparison points and consumers shopped accordingly. On the tort side, while there may not have been many cases yet, it wouldn't shock me to eventually see substantial liability in the case of tragic outcomes (say, murder by a stalker enabled by location data) where as here the manufacturer was clearly negligent in handling sensitive data they didn't even need to have in the first place. Or simply just legislation more strictly limiting who can collect & keep certain types of data, what safeguards they must adhere to, and what the substantial penalties for failures are.

All of this will change the calculus for a mid-level manager who today has no incentive to say anything other than "sure, collect and keep everything, why the heck not" to "of course not, treat that like radioactive liability sludge and make sure we're not contaminated with it".

It'll take a while to sort itself out - as in generation(s) - but I don't see people accepting this forever.
 
Cars are just a more expensive example of the lack of privacy/security.

EVERYTHING that is sold nowadays has the potential to leak your data - from your computer, to your dishwasher to your oven... anything that is sold as "smart" or has any connection to the internet probably has lousy security...

Instead of fighting it - it's better to simply accept that EVERYTHING you have will be available to EVERYONE eventually. Better to monitor the important stuff and realize that privacy is dead.
The problem that it will be available to everyone is not the main concern.
A cautious person should question HOW could it affect my life.
I think it always goes down to control, to having more power, to getting used to having little to no privacy, little to know freedoms.
And as someone who has great interest in learning about communistic countries (not communism, I do not care about the theory, but communistic countries) I see how it could lead
to a future where people have a fraction or no freedoms at all.

Access to data makes control times and times easier. Do you really think people fight for privacy for no reason at all?
 
Last edited:
Cars are just a more expensive example of the lack of privacy/security.

EVERYTHING that is sold nowadays has the potential to leak your data - from your computer, to your dishwasher to your oven... anything that is sold as "smart" or has any connection to the internet probably has lousy security...

Instead of fighting it - it's better to simply accept that EVERYTHING you have will be available to EVERYONE eventually. Better to monitor the important stuff and realize that privacy is dead.

Another way to aviod this dystopian future is to develop our own mods, hacks, workarounds, and blocking systems to limit the more intrusive data telemetry. Many of us already do that with Windows Updates and skin down to just the useful functions we expect from an OS. We have the intellect but sadly most of us just don't care enough about being exploited.
 
My wife decided on a 2024 Toyota Rav4 Hybrid last year as her final car for life.

While in the driveway I showed her on my router how much data is being transmitted from her "new" car. Her response shocked me.

"I don't care I am not doing anything wrong" and walked away.

Point is...no one really cares.
 
Another way to aviod this dystopian future is to develop our own mods, hacks, workarounds, and blocking systems to limit the more intrusive data telemetry. Many of us already do that with Windows Updates and skin down to just the useful functions we expect from an OS. We have the intellect but sadly most of us just don't care enough about being exploited.
just cut the ground pin on the antenna. Or, put a faraday cage/bag around the module with the wireless antenna on it.
 
Access to data makes control times and times easier. Do you really think people fight for privacy for no reason at all?
Just because something is unwinnable doesn’t mean it isn’t worth fighting - but it is foolish to live your life assuming you’re gonna win.

Fight for your privacy - everyone should - but live your life assuming that fight will be lost.
 
Cars are just a more expensive example of the lack of privacy/security.

EVERYTHING that is sold nowadays has the potential to leak your data - from your computer, to your dishwasher to your oven... anything that is sold as "smart" or has any connection to the internet probably has lousy security...

Instead of fighting it - it's better to simply accept that EVERYTHING you have will be available to EVERYONE eventually. Better to monitor the important stuff and realize that privacy is dead.

Or just not hook those things up to the internet or local (wireless) lan.

If I can't run my TV without internet then it's no good of use.

 
This is not unexpected. It is not a matter of whether it can be hacked, but rather when it will be hacked. People want more convenience, and companies want more data, hence, the reason for such incidents. I don't believe such risks are isolated to Subaru. Essentially if you are driving any new cars purchased in the past 1.5 to 2 decades ago, it is highly likely there is some sort of tracker on it. New cars nowadays are full of electronics and likely comes with a lot of vulnerabilities.

I do not agree that being able to track you for the past 1 year is the risk here. It sounds to me they are trying to switch our attention to other less important risks here. When someone can remotely unlock your car door and start ignition are to me more concerning. I wonder what other basic driving functionalities can hackers access.
 
Yes it does. You just don't set it up and you unplug the cell radios. The cars will still work fine without the internet.
If you take it to a dealer for servicing - it’s connected…. And if you bought it from a dealer - it’s connected… and that’s how most people buy new cars…
 
Back