Now-fixed web vulnerabilities enabled hackers to remotely unlock and start millions of Subarus.
Alarmingly, they could also access at least a year of the vehicles’ location histories, a capability that Subaru employees still retain.
A year prior, security researcher Sam Curry purchased a Subaru for his mother, with the agreement that he would have the opportunity to hack it in the near future.
It wasn’t until last November, during Thanksgiving, that he began investigating the internet-connected features of the 2023 Impreza and searching for potential exploits.
They quickly uncovered vulnerabilities in a Subaru web portal, allowing them to hijack functions such as unlocking the car, honking the horn, and starting the ignition, effectively transferring control to any chosen device.
The most unsettling discovery for Curry was the ability to track the Subaru’s location, revealing not just its current position but also a comprehensive history of where it had been during the entire year his mother owned the car.
Also Read: Why the New Subaru Crosstrek Is the Ultimate Road Trip Car
The precision of the map detailing the car’s movements was so thorough that Curry could identify his mother’s doctor visits, her friends’ homes, and even the specific parking space she used each time she attended church.
Sam Curry’s mother’s 2023 Subaru Impreza had a year’s worth of location data accessible through Subaru’s employee admin portal, which was compromised due to security flaws.
“You can retrieve at least a year’s worth of location history for the car, where it’s pinged precisely, sometimes multiple times a day,” Curry explained. “Whether someone is cheating on their partner, seeking an abortion, or involved in a political group, there are countless scenarios where this information could be weaponized against individuals.”
In a recent blog post, Curry and Shah disclosed their method for hacking and tracking millions of Subarus, believing that it would have enabled hackers to target any vehicle equipped with the company’s Starlink digital features across the US, Canada, or Japan.
By exploiting vulnerabilities in a Subaru website designed for employees, they were able to hijack an account and gain access to vehicle location data, including every instance the engine started, as demonstrated in their accompanying video.
After Curry and Shah reported their findings to Subaru in late November, the company swiftly addressed the security issues within Starlink.
Despite this, the researchers cautioned that these vulnerabilities were part of a broader pattern of web-based flaws that have affected numerous automakers, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, and Toyota.
They expressed confidence that similar serious vulnerabilities likely exist within other car manufacturers’ online tools, waiting to be uncovered.
The implications of their findings specifically regarding Subaru reveal how deeply those with access to the portal can track customers’ movements, raising privacy concerns that extend well beyond the recent web vulnerabilities. “Even though this has been patched, the functionality still exists for Subaru employees,” Curry pointed out. “An employee can easily access a year’s worth of location history.”
After being contacted regarding Curry and Shah’s discoveries, a Subaru spokesperson stated that “after being notified by independent security researchers, [Subaru] discovered a vulnerability in its Starlink service that could potentially allow a third party to access Starlink accounts.
The vulnerability was immediately closed, and no customer information was ever accessed without authorization.”
The spokesperson also confirmed that “certain employees at Subaru of America, based on their job relevancy, can access location data.” As an example, the company noted that employees may need to share a vehicle’s location with first responders in the event of a detected collision.
“All these individuals receive proper training and are required to sign appropriate privacy, security, and NDA agreements as needed,” added Subaru’s statement.
“These systems have security monitoring solutions in place, which are continually evolving to meet modern cyber threats.”
In response to Subaru’s mention of informing first responders about collisions, Curry pointed out that this situation would hardly necessitate a full year of location history.
The research by Shah and Curry that led to the identification of Subaru’s vulnerabilities began when they discovered that Curry’s mother’s Starlink app connected to the domain SubaruCS.com, which they recognized as an administrative domain for employees.
While searching for security flaws on that site, they realized they could reset employee passwords by simply guessing their email addresses, granting them the ability to take over any employee’s account linked to an email they could uncover.
Although the password reset process required answers to two security questions, they found that these answers were verified using code that ran locally in the user’s browser, bypassing the safeguard easily. “There were really multiple systemic failures that led to this,” Shah remarked.
The two researchers found the email address of a Subaru Starlink developer on LinkedIn, took control of that employee’s account, and immediately discovered that they could use that access to look up any Subaru owner by last name, zip code, email address, phone number, or license plate to retrieve their Starlink configurations.
Within seconds, they could then reassign control of that user’s Starlink features, including the ability to remotely unlock the car, honk the horn, start the ignition, or locate the vehicle, as illustrated in their video.
These vulnerabilities present serious theft and safety risks for drivers. Curry and Shah emphasize that a hacker could easily target someone for stalking or theft by locating their vehicle and unlocking it at will—though a thief would still need to employ a separate technique to disable the car’s immobilizer, which prevents the vehicle from being driven away without a key.
Such car hacking and tracking techniques are not uncommon. Last summer, Curry, alongside another researcher, Neiko Rivera, demonstrated to WIRED how they could replicate similar exploits with any of the millions of vehicles sold by Kia.
Over the past two years, a larger group of researchers, including Curry and Shah, has uncovered web-based security vulnerabilities affecting vehicles from Acura, BMW, Ferrari, Genesis, Honda, Hyundai, Infiniti, Mercedes-Benz, Nissan, Rolls Royce, and Toyota.
What sets Subaru apart in this case is the researchers’ ability to access detailed historical location data for the vehicles, extending back at least a year.
While it is possible that Subaru collects multiple years of location data, Curry and Shah’s tests were conducted solely on Curry’s mother’s Subaru, which she had owned for about a year.
Curry asserts that Subaru’s extensive tracking of locations underscores a troubling lack of privacy protections within the car industry concerning the increasing collection of personal data from drivers. “It’s kind of bonkers,” he said.
“People expect that a Google employee won’t have access to their emails in Gmail, but Subaru employees can simply click a button on the admin panel to view a user’s location history.”
The work of the two researchers adds to the mounting concern regarding the vast quantities of location data amassed by car manufacturers.
In December, information from a whistleblower provided to the German hacker collective Chaos Computer Club and Der Spiegel revealed that Cariad, a software firm partnered with Volkswagen, had exposed detailed location data for 800,000 electric vehicles online.
Also Read: Subaru Explores Future EV Performance with SVX-Inspired Electric Sports Car Concept
A September report from privacy researchers at the Mozilla Foundation warned that “modern cars are a privacy nightmare,” highlighting that 92 percent of car owners have little to no control over the data collected, and 84 percent reserve the right to sell or share that information. (Subaru assured WIRED that it “does not sell location data.”)
“While we worried that our doorbells and watches connected to the internet might be spying on us, car brands quietly entered the data business by transforming their vehicles into powerful data-gobbling machines,” stated the Mozilla report.
The discovery of Subaru’s security vulnerabilities regarding location tracking showcases a particularly troubling breach of data privacy—yet the privacy issue remains concerning even after the vulnerabilities have been addressed, says Robert Herrell, the executive director of the Consumer Federation of California, which has advocated for legislation to limit data tracking by cars.
“It appears that there are numerous Subaru employees with alarming access to detailed information,” Herrell noted. “People are tracked in ways they are completely unaware of.”