Could your Subaru Forester, Outback, Crosstrek, or any other model be the next target of a hack?
While I was perusing my Automotive News subscription, I stumbled upon a report that was as shocking as it was troubling. An independent security researcher had successfully hacked into a new Subaru's Starlink account, even managing to unlock the doors remotely.
The Automotive News report says:
"We interviewed an independent security researcher that told us that he hacked into a Subaru vehicle's interface used by employees, accessed more than a year's worth of location data, and unlocked a vehicle remotely.”
This is worrisome because every new Subaru now comes with the Starlink multimedia system, and most models include Subaru's Starlink safety and security features as standard. It's an excellent feature for customers unless it’s hacked.
How Did This Happen To a New Subaru Vehicle?
The AN report says the Subaru hack has been fixed, but it raises concerns and said “this is concerning,” for a Subaru customer's safety of their private information. This breach could potentially lead to unauthorized access to the vehicle, compromising the safety of the owner and their personal data.
"As Subaru vehicles get more connected, the vulnerability highlights automakers' struggles to protect data privacy as vehicles gather more data," the report reveals.
What Information Was Hacked By the Independent Security Researcher?
The Automotive News report says researcher Sam Curry found the Subaru Starlink administrator panel, deduced a valid employee email, reset the employee's account, bypassed the two-factor authentication, and was able to view the server-side data.
Part of the weakness of Subaru's Starlink technology was that it was custom-built for Subaru rather than relying on access management tools such as Okta. Harman International Industries designed the interactive service for Subaru Starlink.
"It was interesting to see a custom login page for Subaru's admin panel," Curry told Automotive News. "It's pretty uncommon."
The visible data included "Last Known Location," exact coordinates for more than a year accessible with a customer's last name and ZIP code, the report revealed.
More Private Information Was Gathered
The AN report says, "Curry also gained the ability to grant and modify access to the vehicle with limited information, including the VIN or phone number for the customer. He tested this access by adding himself as an authorized user and unlocking a friend's car remotely."
Subaru Patched the System Quickly
The report says that after Subaru of America had learned about the problem, it patched the system within 24 hours. Curry alerted Subaru shortly before midnight on November 20, and the vulnerability was fixed by 4 p.m. on November 21, 2024.
What Does Subaru Say About Its Hacked Vehicle?
Dominick Infante, Director Of Communications at Subaru of America, said in an emailed statement that no customer information was accessed without authorization. He also noted that employees receive training and must sign nondisclosure agreements to access the data.
Infante said:
"Subaru of America does not sell location data. It is only shared with emergency responders in compliance with legal requirements or in emergency situations where there is an imminent risk of harm," he said. "For example, certain employees/agents will need to access a vehicle's location when automatic collision detection goes off to relay that location to first responders."
NOTE: This story has been updated. Aaron Cole, Product Communications Manager of Subaru of America, says, "Subaru no longer contributes to LexisNexis."
A Subaru spokesperson told the New York Times that the Camden, N.J. automaker only shares odometer readings through its Starlink safety system.
How Does Subaru Use the Data?
Subaru says its data via Starlink is mileage-based. Your insurer can only measure how many miles you drive. The more miles you drive, the higher your insurance rates can be.
Subaru is Included in a Class Action Lawsuit Investigation Over Sharing Customer's Information
A report from Top Class Actions says, "Do you own a Subaru, Honda, Hyundai, or Kia vehicle less than five years old? Your vehicle may be collecting sensitive personal information about you and selling it to third parties."
"Car manufacturers are allegedly collecting drivers' sensitive personal information, that is, driving behavior data, and selling it to third parties without obtaining proper consent. This information is then sold to data brokerage firms that sell it to insurance companies, potentially resulting in higher insurance premiums for drivers," says Top Class Actions.
Subaru's Privacy Policy
Subaru's Connected Vehicle Services privacy policy states, "We collect Personal Information and Non-Personal Information automatically from Connected Vehicles. This information includes vehicle and service-related information, including but not limited to VIN and vehicle description; vehicle maintenance information; mechanical condition or incidents involving the vehicle such as crash severity sensor data; time, location, and speed of the vehicle; a Vehicle Occupant's search content; your personal identification number ("PIN"); and information about calls related to the Services or your account, such as the date, time and duration of the call, the identity and phone number of the caller, and contents of or notes about the call. In addition, your vehicle may be equipped with one or more sensing or diagnostic modules capable of automatically retrieving, recording, transmitting, or storing certain vehicle data, including but not limited to trouble codes, tire pressure, battery voltage, coolant temperature, and service requirements. We may collect and retain data from any such modules in your vehicle."
Non-Personal Information is Being Disclosed
Subaru states, "We may disclose Non-Personal Information about you to Service Providers and other third parties if we deem such disclosure, in our sole discretion, to have sound business reasons or justifications."
You Can Opt Out Of Third Party Marketing, But You Must Contact Subaru To Do So
Subaru says, "We share your Personal Information with third parties (each, a "Third Party Marketer") for their own marketing purposes from time to time. For example, we may provide personal information to service providers to permit them to market services to you for your vehicle (such as for Wi-Fi hotspots or, satellite radio services, or insurance or financial products). You may opt out of this sharing by contacting us."
Andrea Amico, CEO of Privacy4Cars, says,
"This is not a misconfiguration. Automakers are collecting and sitting on as much personal data as possible, which helps businesses delete personal information from vehicles."
"Using safety as the blanket that covers all sins is just not going to work anymore, especially in a world in which regulators like the attorney general of Texas and the FTC are taking very strong actions against companies that engage in this kind of behavior," Amico said.
How to Minimize Your Risk of a Vehicle Hack
CarTrack says car owners can take several steps to protect their vehicles from hacking. Here are five things car owners should know:
- Regularly update your car's software
- Store key fobs in signal-blocking pouches
- Be cautious about connecting to public Wi-Fi
- Limiting data sharing with connected car apps
- Contact your dealership if you suspect any unusual activity in the car's systems
Final Thoughts and Questions for Subaru Owners
If an independent security researcher, not intending to harm Subaru, or an owner can hack Subaru's Starlink technology in a Subaru vehicle, others may be able to do so. Because Subaru vehicles are connected, new security measures by Subaru will need to be instituted. They patched the leak for now, but will it be enough?
Do you own a Subaru vehicle with Starlink, and are you concerned about your car being hacked? Click the red Add New Comment link below and let us know.
Check out my Subaru story titled; I Took My Subaru Forester In For an Oil Change, They Tell Me I Need the 60K Check-In, My Oil Change Just Cost Me $1,000, A Fatal Flaw, Never Take It To a Dealer
I am Denis Flierl, a Senior Torque News Reporter since 2012. My 30+ year tenure in the automotive industry, initially in a consulting role with every major car brand and later as a freelance journalist test-driving new vehicles, has equipped me with a wealth of knowledge. I specialize in reporting the latest automotive news and providing expert analysis on Subaru, which you'll find here, ensuring that you, as a reader, are always well-informed and up-to-date. Follow me on my X SubaruReport, All Subaru, WRXSTI, @DenisFlierl, Facebook, and Instagram.
Photo credit: Denis Flierl via Subaru USA
Comments
This is what happens when…
Permalink
This is what happens when manufacturers make you download an app to use features. This is t just Subaru. All these manufacturers with "smart" features that connect to the Internet are hackable, just like everything else.
That's right.
Permalink
In reply to This is what happens when… by NMK (not verified)
That's right.