Security researcher Sam Curry decided to assess the safety of the Subaru vehicle he had purchased for his mother. About a year prior, they had agreed he would eventually investigate the potential vulnerabilities in the car’s system. That opportunity arose in November when Curry, alongside his colleague Shubham Shah, began analyzing the internet-connected features of the 2023 Subaru Impreza.
Curry and Shah uncovered vulnerabilities in Subaru’s web portal that allowed them to remotely control various car functions, including unlocking doors, activating the alarm, starting the ignition, and even tracking the vehicle’s location. Alarmingly, the researchers gained access to a full year’s worth of historical location data, revealing addresses visited, medical offices, friends’ homes, and even the precise parking spot at a church.
The vulnerabilities were linked to the Starlink system used in Subaru vehicles across the U.S., Canada, and Japan. Hackers could potentially reassign control of any vehicle connected to Starlink using web tools intended for Subaru employees. Upon being notified in November, Subaru promptly addressed the issues; however, the researchers caution that similar vulnerabilities exist in the systems of other automakers.
Among the flaws identified in Subaru’s portal was the ability to reset an employee’s password using only their email address, bypassing verification for security question responses. Once Curry and Shah accessed an employee account, they could search vehicle owner data by last name, phone number, or license plate. Using this information, they could remotely manipulate the car’s functions.
The researchers highlighted the significant risks these capabilities pose to both safety and privacy. Malicious actors could exploit such vulnerabilities for theft, surveillance, or other illegal activities. Although Subaru asserts that only trained personnel have access to such data, the retention of year-long location histories raises ongoing concerns.
Curry and Shah warned that automotive companies are increasingly turning vehicles into “data collection machines,” jeopardizing drivers’ personal security. According to the Mozilla Foundation, 92% of modern vehicles offer users minimal control over collected data, while 84% reserve the right to sell or share this information.
Curry concluded that cases like these underscore the weak data protection practices within the automotive industry and called for stricter oversight of data collection and usage to safeguard personal information.
