This Subaru Hack Revealed Location Data and Allowed Remote Access
We know cars are better connected than ever before, which is great when you want to remember where you parked or start defrosting your car windows while you’re still in bed. But this modern technology comes with security and privacy concerns, as a new one has been shown to be hacked into Subaru cars and their Starlink software.
Security researchers Sam Curry and Shubham Shah explain in a blog post how they were able to remotely hack the Starlink connected vehicle service operated by Subaru. They’re specifically targeting software for Curry’s mom’s car, but the same platform runs on Subaru vehicles in the US, Canada and Japan.
With access to the driver’s last name and associated zip code, email address, phone number or license plate, Curry and Shah were able to start, stop, lock and unlock the Subaru, and determine its current location. Additionally, they could view an entire year’s worth of collected location history (down to parking spaces).
The same hack provided access to the driver’s personal information, including his address, payment information (though not his full credit card number), and emergency contact information. You can also access your service call history, odometer readings, and previous engine owners.
Curry and Shah were able to test access to a Subaru belonging to one of their friends and it worked again – all without any notification or warning to the driver of the vehicle that their vehicle was being accessed. All that was needed was a successful login to the Starlink portal and some basic driver information.
Although Starlink logins were protected by two-factor authentication and security questions, these security measures were applied in a special way and the researchers were able to bypass them by simply changing the website code to ignore them. In other words, there was no need to enter a password.
This is a huge amount of access to functions and data through a relatively simple hack. The good news is that Curry and Shah reported the vulnerability to Subaru, and the car manufacturer fixed it within 24 hours – such a hack is no longer possible. However, all this data remains available to Subaru employees, which raises more questions.
Subaru and your data
The initial hack was accomplished by logging into a Starlink terminal as a Subaru employee, some detective work on LinkedIn, and a little tweaking of the website code. Although this access route is now blocked, real Subaru employees can still obtain all the information Curry and Shah found, including a year’s worth of location history.
“The auto industry is unique in that an 18-year-old Texas employee can request payment information for a vehicle in California without raising a red flag,” Curry wrote . “It’s part of their daily work. All employees have access to a lot of personal information, and it all comes down to trust.”
Subaru told Wired that its employees, “depending on their job relevance,” may be able to access location data – for example, in the event of calling first responders when a collision is detected (though this is unlikely to require a year of data). According to Subaru, confidentiality, security and NDA agreements are signed by these employees.
You can view Subaru’s privacy policy here and here . You’ll notice that a lot of data is collected about you and your vehicle through Starlink, including where it starts and stops, vehicle speed, and diagnostic information. Use the Subaru website or app and you unlock a whole new set of data, including data collected by the microphones and cameras on your devices.
Even worse, these rules apply to all Subaru passengers—Firefox developer Mozilla provides details here (note that this includes Subaru’s apps and website, as well as Starlink). While Subaru promises not to sell your information to third parties and says it needs the information to improve support and detect criminal activity, it may target you with ads, messages and promotions.
You can take steps to limit the collection of some data. You can, of course, cancel your Starlink subscription, but then you’ll lose features like emergency assistance. You can also remove any Subaru-related apps from your phone, change your marketing preferences through the MySubaru portal , and fill out this form to set certain restrictions on data collection and sharing in certain states, although it’s unclear what data the form covers or how long it’s been in place the data will be stored.
Subaru isn’t alone among automakers when it comes to security vulnerabilities and questionable privacy policies. However, it’s another reminder that additional connectivity often comes at an additional cost in terms of user data – and that any decision about which car to buy next should probably also be made with the manufacturer’s data collection policies in mind.