A year ago, security researcher Sam Curry purchased a Subaru for his mother, with the intention of hacking into it. During a Thanksgiving visit, he began testing the car’s internet-connected features and uncovered serious security vulnerabilities in a Subaru web portal. Along with fellow researcher Shubham Shah, Curry was able to remotely unlock the car, honk the horn, and even start the ignition from any device of their choosing.
The most alarming discovery was the ability to track the Subaru’s location history. Curry found that he could access detailed records of where the car had traveled for the past year, including specific visits to places like doctors and friends’ houses, revealing the locations his mother parked every Sunday at church.
“Retrieving a year’s worth of location data allows for invasive possibilities, from marital infidelity to abortion access—there are countless scenarios where this information could be weaponized,” Curry stated. Their findings, detailed in a blog post, indicated that the vulnerabilities affected millions of Subaru vehicles using its Starlink digital features across the U.S., Canada, and Japan.
After alerting Subaru about the vulnerabilities in late November, the company promptly patched them. However, Curry and Shah raised concerns about the ongoing privacy implications, noting that Subaru employees could still have access to customers’ location histories as part of their normal duties. “Even with the vulnerabilities fixed, the functionality remains a privacy risk for consumers,” Curry remarked.
In response to inquiries, a Subaru spokesperson acknowledged the security flaw and emphasized that no unauthorized access to customer data occurred before the patch. However, they confirmed that certain employees could access location data, especially in emergency situations.
Curry and Shah traced the vulnerabilities back to an administrative domain for Subaru employees, leading them to exploit weak password reset mechanisms that allowed access to employee accounts. Once inside, they could view customer vehicle data, including the ability to control various features remotely. The implications of their findings are serious, as malicious actors could potentially stalk victims or steal vehicles.
This incident is part of a worrisome trend in the automotive industry, where weak security measures continue to plague multiple automakers, with previous research uncovering vulnerabilities in brands like Kia, Honda, and Toyota. The level of historical data accessible to employees raises further concerns about privacy protections in this data-driven era.
As Curry points out, there is an expectation that companies protect sensitive information. “You wouldn’t expect a Google employee to access your emails, yet a button on Subaru’s admin panel can reveal location histories," he lamented. The growing accumulation of location data by car manufacturers has sparked wider discussions regarding consumer privacy, highlighting how little control consumers often have over the information collected by their vehicles.
Additional concerns surfaced when a whistleblower revealed that another company, Cariad, had left detailed location data for a large number of vehicles publicly exposed online, exacerbating fears regarding data management across the automotive sector, where 92% of vehicles reportedly lack adequate privacy safeguards.
For more information, refer to the blog post.
