### Subaru’s Starlink Vulnerability: A Cautionary Tale for Automotive Cybersecurity and Privacy
In a time when vehicles are increasingly reliant on connectivity, the recent discovery of security flaws in Subaru’s Starlink system acts as a significant warning about the dangers tied to contemporary automotive technology. Security experts Sam Curry and Shubham Shah identified weaknesses in Subaru’s web portal that permitted unauthorized access to vital vehicle functions and sensitive location information. Their findings not only reveal the potential for harmful exploitation but also raise serious questions regarding data privacy within the automotive sector.
—
### **The Discovery: A Thanksgiving Experiment Gone Wrong**
The investigation commenced when Curry, an experienced security analyst, bought a 2023 Subaru Impreza for his mother, planning to examine its connected features for vulnerabilities afterward. During Thanksgiving in November 2024, Curry and Shah explored the vehicle’s Internet-enabled Starlink system. What they uncovered was concerning: vulnerabilities in Subaru’s employee portal allowed them to remotely manage various vehicle functionalities, such as unlocking doors, honking the horn, and even starting the ignition.
Even more troubling, the researchers were able to access a year’s worth of the vehicle’s location history. This comprehensive data unveiled personal details such as medical appointments, social events, and specific parking locations. The ramifications of such access are significant, as Curry remarked, “Whether someone is cheating on their spouse, having an abortion, or involved with a political organization, there are countless situations in which this could be weaponized against an individual.”
—
### **How the Hack Worked**
The researchers located the vulnerability within Subaru’s administrative domain, SubaruCS.com, utilized by employees to handle Starlink accounts. They found that they could reset employee passwords merely by guessing their email addresses. Although the system demanded answers to security questions, these protections were placed within the user’s browser instead of on Subaru’s servers, making them easily circumvented.
By employing this strategy, Curry and Shah accessed an employee’s account and discovered they could search for any Subaru owner using basic details like a last name, zip code, or license plate number. After locating an owner, they could transfer control of the vehicle’s Starlink features to any device, effectively commandeering the car’s connected functions.
—
### **The Privacy Problem: More Than Just a Security Issue**
While Subaru promptly addressed the vulnerabilities upon notification, the event highlights a more extensive problem: the substantial accumulation and retention of location data by automakers. Subaru’s system enabled employees to access detailed location histories for at least one year, prompting inquiries about how this information is stored, who has access to it, and for what purposes it is utilized.
Subaru defended its practices by asserting that location data is used to aid first responders during emergencies, such as detecting collisions. Nevertheless, Curry emphasized that such capabilities do not necessitate a year’s worth of location history. The company failed to clarify how long it retains this data or the measures taken to secure it.
This lack of transparency isn’t exclusive to Subaru. A 2024 report from the Mozilla Foundation characterized modern vehicles as “a privacy nightmare,” highlighting that 92% of car brands offer little to no control over the data collected, and 84% maintain the right to sell or share this information. Subaru contended that it does not sell location data, yet the overarching industry trend remains concerning.
—
### **The Broader Implications for the Automotive Industry**
The Subaru incident represents just one example among a growing number of automotive cybersecurity issues. Over the preceding two years, researchers have pinpointed similar vulnerabilities in vehicles from Acura, BMW, Honda, Hyundai, Kia, Mercedes-Benz, Toyota, and others. These weaknesses often arise from inadequately secured web portals and APIs, which are increasingly utilized to manage connected vehicle features.
What differentiates Subaru’s case is the granularity of the accessible location data. This raises serious privacy issues, as vehicles evolve into “data-hungry machines,” amassing extensive information about their owners’ movements and behaviors. The potential for abuse—whether by malicious hackers, rogue employees, or even governments—should not be underestimated.
—
### **The Need for Stricter Regulations and Better Practices**
The Subaru incident underscores the pressing necessity for stricter regulations and improved cybersecurity practices within the automotive arena. While Subaru has addressed the specific vulnerabilities highlighted by Curry and Shah, the broader privacy concerns persist. As Robert Herrell, executive director of the Consumer Federation of California, pointed out, “Individuals are being monitored in ways they are utterly unaware of.”
Legislation aimed at curbing data collection and enhancing transparency is an essential step forward. For instance, California has proposed bills to safeguard victims of domestic abuse from being tracked via their vehicles. However, more thorough measures are required to tackle the wider privacy and security dilemmas presented by connected cars.
—
### **Conclusion: A Cautionary Tale for Consumers and Automakers**
The Subaru Starlink vulnerability serves as a cautionary tale for both consumers and automakers.
