Subaru has recently patched significant security vulnerabilities in its Starlink connected system, which is installed in vehicles across the United States, Canada, and Japan. These vulnerabilities were uncovered by security researchers Sam Curry and Shubham Shah, and they exposed sensitive user data. More alarmingly, they allowed for remote control of certain car functionalities and provided detailed access to the vehicles’ location history.
Amazon co-founder MacKenzie Scott has donated over $19 billion to charity in just five years
Diamond batteries powered by nuclear waste promise 28,000 years of clean energy
Complete Remote Control
The vulnerabilities were originally found on a website meant for Subaru employees. By exploiting weaknesses in the password reset process, the researchers were able to gain access to internal accounts. Once logged in, they could remotely manipulate vehicle settings such as unlocking doors, starting engines, or even honking the horn.
Even more troubling, they discovered that the site allowed them to view precise vehicle location histories spanning one year. To test this vulnerability, Curry used his mother’s 2023 Subaru, achieving pinpoint accuracy in tracking. He was able to trace her medical visits, addresses of friends she visited, and even the specific parking spot she used when going to church.
According to the researchers, these vulnerabilities could potentially affect any vehicle equipped with Starlink, simply by knowing basic information about the owner, such as their last name, email address, or license plate number.
Swift Response Raises Privacy Concerns
In response, Subaru stated that no customer data had been compromised. The company also confirmed that certain employees can access vehicle location data, but only in specific scenarios, like sharing information with emergency services following an accident. These employees are trained and required to sign confidentiality agreements.
However, this incident highlights broader privacy concerns. The researchers pointed out that, although the flaw was fixed, the access to location data by employees remains a fundamental issue. The retention of movement history for at least a year could potentially be misused. It’s interesting to consider whether such a data breach could occur in Europe under stringent GDPR regulations.
Issues Extend Beyond Subaru
In recent years, similar vulnerabilities have been identified in other automotive manufacturers like Honda, Kia, and Toyota. Beyond the technical glitches, these incidents raise questions about the amount of personal data collected by connected cars and how securely it is handled.