Subaru left a gaping security flaw that, although patched, exposes countless privacy problems in modern vehicles. Security researchers Sam Curry and Shubham Shah reported their results (above Wired) via an easily hacked employee web portal. After gaining access, they were able to remotely control a test vehicle and view a year’s worth of location data. They warn that Subaru is far from lax after lax security around vehicle data.
After security analysts notified Subaru, the company quickly patched the exploit. Fortunately, the researchers have not breached fewer than 200,000 security hackers before. According to authorized Subaru officials, owners’ location history can still be accessed with just a single piece of the following information: the owner’s last name, zip code, email address, phone number or license plate number.
The hacked admin portal was part of Subaru’s Starlink suite of connectivity features. (No relation to SpaceX Satellite Internet Service Same name.) Curry and Shah intervened by finding a Subaru Starlink employee’s email address on LinkedIn and resetting the worker’s password after bypassing two required security questions – since it took place in the end user’s web browser , not in Subaru’s server. They also bypassed two-factor authentication by doing “the easiest thing we could think of: removing the client-side overlay from the UI.”
Although the researchers’ tests trace the location of the test vehicle back a year, they cannot rule out the possibility that authorized Subaru employees can go back even further. That’s because the test car (a 2023 Subaru Impreza Curry bought it for his mother on the condition that he could chop it (it only lasted about that long). The location data also did not generalize to a wide rural district: it was accurate to within 17 feet and updated every time the engine started.
“After searching and finding my own vehicle in the dashboard, I confirmed that the StarLink administrator dashboard should have access to pretty much every Subaru in the US, Canada and Japan,” Curry wrote. “We wanted to confirm that we weren’t missing anything, so we reached out to a friend and asked if we could hack their car to demonstrate that there was no requirement or feature that actually prevented a full takeover of the vehicle would have. She sent us her license plate, we added her vehicle to the admin panel and finally added ourselves to her car. “
In addition to tracking their location, the admin portal allowed researchers to remotely start, stop, lock and unlock all Starlink-connected Subaru vehicles. They said Curry’s mother never received notifications that they had added themselves as authorized users, nor did she receive any alerts when they unlocked her car.
They could also query and retrieve personal information for each customer, including emergency contacts, authorized users, home address and the last four digits of their credit card and vehicle pin. In addition, they were able to access the vehicle’s owner history and predecessors, mileage and sales history.
In a statement to Engadget, Subaru communications director Dominick Infante wrote: “Subaru of America, Inc. was informed by independent security researchers of a vulnerability in its StarLink service that had the potential to allow third-party access to Starlink accounts make possible. Subaru patched the vulnerability on the same day, and no Subaru vehicles or customer data was accessed without authorization. The independent researchers were able to access two accounts belonging to a family member and a friend who provided them permission to do so. “
Subaru also stressed that its cars cannot be driven remotely and that the company does not sell location data. It also means that only certain employees can access job relevance.
The security researchers say the tracking and security failures stemming from a single employee’s ability to access “a lot of personal information” are hardly unique to Subaru. Wired notes that Curry and Shah’s previous work has exposed similar defects affecting vehicles from Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota and others.
The pair believe there is cause for serious concern about the industry’s location tracking and poor security measures. “The auto industry is unique in that an 18-year-old employee from Texas can query the billing information of a vehicle in California and it will not raise any alarm bells,” Curry wrote. “It’s part of their normal day-to-day job. Employees all have access to a lot of personal information, and it’s all based on trust. It seems really difficult to truly secure these systems when such broad access is built into the system by default. “
The The researchers’ full report is worth a read.
Update, January 24, 2025, 1:07 p.m. ET: This story has been updated to add a statement from Subaru.
