A vulnerability in Subaru's services allowed hackers to unlock cars and track drivers' travel history
Late last year, researchers discovered a serious security vulnerability in Subaru's internal web service and in-car system, Subaru Starlink. It opened up full access to the company's customers' personal data, including location history, emergency contacts, call history, and more.
Here's What We Know
Cybersecurity researchers Sam Curry and Shubham Shah discovered the vulnerability in November 2024 while researching Curry's mother's 2023 Subaru Impreza, which he had bought a year earlier. Curry told Wired in a commentary that he had accessed at least a year's worth of the car's exact location history and other sensitive information.
Researchers were able to log into Subaru's website under a hacked account of a company employee. This enabled them to take control of the cars' Starlink features and access a huge amount of personal data, including customer name, emergency contacts, call history, home address and even the car's PIN. They could also remotely unlock the car and start it. All they needed was the victim's last name along with the car's licence plate number, the owner's postcode, phone number or email address.
To Subaru's credit, this vulnerability no longer exists. Moreover, the automaker fixed the loophole for the attackers in less than 24 hours after being notified of it. According to Sam Curry, however, the problem isn't just that unauthorised individuals can gain access to cars, but that virtually any employee of the vehicle manufacturer has full access to users' sensitive information. This probably doesn't just apply to Subaru, but to the auto industry as a whole.
Source: Wired
