Now-fixed web bugs allowed hackers to remotely unlock and start any of millions of Subarus. More disturbingly, they could also access at least a year of cars’ location histories—and Subaru employees still can.
Security researchers Sam Curry and Shubham Shah identified critical vulnerabilities in Subaru’s web portal that allowed unauthorized access to vehicles’ internet-connected features. Through these flaws, they could remotely unlock doors, start the engine, and access detailed location histories spanning at least a year. These vulnerabilities potentially affected millions of Subaru vehicles equipped with the Starlink system in the U.S., Canada, and Japan. Upon being informed, Subaru promptly addressed and patched the issues. However, concerns remain about the extensive location data accessible to Subaru employees, highlighting broader privacy implications regarding the data modern vehicles collect.
Summary:
Security researchers Sam Curry and Shubham Shah identified critical vulnerabilities in Subaru’s web portal that allowed unauthorized access to vehicles’ internet-connected features. Through these flaws, they could remotely unlock doors, start the engine, and access detailed location histories spanning at least a year. These vulnerabilities potentially affected millions of Subaru vehicles equipped with the Starlink system in the U.S., Canada, and Japan. Upon being informed, Subaru promptly addressed and patched the issues. However, concerns remain about the extensive location data accessible to Subaru employees, highlighting broader privacy implications regarding the data modern vehicles collect.