Recently, there was a shocking revelation that Subaru's Starlink-connected vehicles had flaws in them. The flaws made millions of cars vulnerable to hacking and location tracking.
Security researchers Sam Curry and Shubham Shah discovered some critical flaws that let them take remote control over the vehicles and gain access to sensitive location histories. This might give you time to think if your information is safe and private with your car.
How Researchers Discovered Subaru's Vulnerabilities
An investigation started off when Curry went ahead and inquired into connected features in his mother's 2023 Subaru Impreza. He set out as a casual experiment into something surprising—a discovery of an unlocked car using the Subaru's Starlink platform and even tracked where it has been over the past year: by starting ignition, honking horns, etc.
Through identifying weaknesses in Subaru's Starlink employee portal, the researchers discovered they could reset passwords with only employee email addresses. The system verified its security questions locally in the user's browser instead of Subaru's servers.
With an employee account, they could find any Starlink-enabled vehicle and then reassign control to another device or computer.
Read More: Sony Honda Mobility Enters EV Market with Afeela 1: Futuristic Ride with Tech, Power, and Luxury
The Extent of the Subaru Starlink Data Breach
According to Wired, the experts have clearly demonstrated their findings with chilling precision. Through the compromised portal, they:
Accessible fine-grained location data for a year revealing trips, doctor visits, and parking spots
Controlled vehicle features such as door locks, ignition, and horn remotely.
Identified owners using personal information like names, emails, and license plates.
Curry and Shah mentioned that these flaws not only opened up avenues of theft and stalking but also represented a larger concern about the over-geolocation of cars by automobile companies.
Did Subaru Patch the Vulnerabilities Residing in the Starlink Platform?
Subaru quickly responded after the researchers disclosed their findings in November 2024. The company patched the vulnerabilities in its Starlink platform, and a spokesperson assured that no unauthorized access to customer data occurred. However, Subaru confirmed that employees can access vehicle location data for legitimate purposes, such as assisting first responders.
"The thing is, even though this is patched, this functionality is still going to exist for Subaru employees. It's just normal functionality that an employee can pull up a year's worth of your location history," Curry said.
Subaru is Not Alone in Dealing With this Privacy Nightmare
Subaru is not the only one in this case. Flaws in similar vulnerabilities have been found in vehicles from Acura, Honda, Hyundai, BMW, and others.
Again and again, researchers have proven how web-based flaws can allow for unauthorized access, and yet most automakers collect massive amounts of driver data without adequate safeguards.
Mozilla's 2023 report branded modern cars as a "privacy nightmare." It said 92% of manufacturers give drivers little control over collected data and 84% reserve the right to share or sell information.
The lack of transparency is still a cause for concern: Subaru claims it doesn't sell location data, but it does lack transparency and control over what it collects.
Executive director of the Consumer Federation of California, Robert Herrell said people are being tracked in ways they don't realize, and it's time for stricter regulations to protect consumers.
