We know that cars are more connected than ever, which is great if you want to remember where you parked or start defrosting your vehicle windows while you’re in bed – but this modern technology comes with security and privacy as well New equipped Hack of Subaru cars and their StarLink software have shown.
Security researchers Sam Curry and Shubham Shah explain in a Blog post How they were able to hack into the StarLink Connected Vehicle service operated by Subaru. Specifically, they targeted the software at Curry’s Mom, but the same platform operates in the US, Canada and Japan across Subaru vehicles.
With access to the driver’s last name and attached zip code, email address, phone number or license plate, Curry and Shah were able to start, stop, lock and unlock the Subaru and obtain its current location. In addition, they could see the collected location history for an entire year (down to parking spaces).
The same hack gave access to personal information about the driver, including their address, their billing information (but not their full credit card number), and their emergency contact. Support call history, odometer and engine previous ownership can also be accessed.
Curry and Shah managed to test the access on a Subaru owned by one of their friends and it worked again – all without any type of notification or alarm to the car’s driver that their vehicle was accessible. All that was needed was a successful login to the StarLink portal and some basic driver information.
The Subaru employee portal was targeted by the hack.
Credit: Sam Curry
While the StarLink login was protected with two-factor authentication and security questions, these security measures were applied in a tailored manner that researchers were able to get around only by changing the site code to ignore them. In other words, there was no need to enter a password.
That’s a lot of access to features and data from a relatively simple hack. The good news is that Curry and Shah reported the vulnerability to Subaru and the vehicle manufacturer patched it within 24 hours – this hack is no longer possible. However, all of this data is accessible to Subaru employees, which raises more questions.
Subaru and your data
The original hack was performed by logging into the StarLink terminal as a Subaru employee via some detective work on LinkedIn and a small tweak to the website code. While this access route has since been closed, real Subaru employees can still obtain all of Curry and Shah’s information, including year-to-date location history.
“The auto industry is unique in that an 18-year-old employee from Texas can query the billing information of a vehicle in California and no alarm bells will be raised.” writes Curry. “It’s part of their normal day-to-day job. Employees all have access to a lot of personal information, and it’s all based on trust.”
Subaru employees can see where you have been via StarLink.
Credit: Sam Curry
Subaru told Wired That its employees can access location data “based on their workplace relevance” – for example, when contacting first responders if a collision is detected (although this barely requires a year of data). Privacy, security and NDA agreements are signed by these employees, says Subaru.
You can read the Subaru privacy policy Here And Here. You will find that StarLink collects a lot of data about you and your vehicle, including start and stop times, vehicle speeds and diagnostic information. Use a Subaru website or app and provide access to a whole new swath of data, including data collected by the microphones and cameras on your devices.
What’s worse is that these guidelines apply to passengers in a Subaru – Firefox’s developer, Mozilla Here (Note that this includes Subaru’s apps and website, as well as StarLink). While Subaru promises not to sell your information to third parties and to sell the information to improve support and detect criminal activity, it may target you with advertisements, communications and promotions.
The researchers were able to obtain a lot of user data.
Credit: Sam Curry
There are steps you can take to limit some of this data collection. Of course, you can cancel your StarLink subscription, but then you’ll miss out on features like emergency assistance. You can also uninstall all Subaru related apps from your phone and change your marketing preferences via the illustration The Mysubaru portaland fill it out this form To limit data collection and sharing in certain states, it is not clear what data the form covers or how long existing data will be preserved for data retention.
Subaru isn’t alone among automakers when it comes to this Vulnerabilities and Suspicious Privacy Policies. But it’s another reminder that additional connectivity often comes with additional costs in terms of user data – and that any decision about which car to buy next should probably also look at the manufacturer’s data collection policies.
