A pair of security researchers found a way to remotely start and track millions of Subaru vehicles, even seeing everywhere the vehicles traveled in the year before the hack, Wired reports. Subaru says it has already fixed the vulnerability the pair found.
But Wired’s bombshell report calls more attention to the growing issue of driver privacy and security as cars grow more connected to the internet.
White Hat Hackers Reported the Flaw
Security researchers Sam Curry and Shubham Shah weren’t trying to compromise anyone’s security. The pair acted as so-called white hat hackers. They worked to test Subaru’s security and report their findings to the company before anyone could take advantage of them.
Wired reported on the matter only after Subaru closed the vulnerability the pair found.
In a statement, Subaru says, “The vulnerability was immediately closed, and no customer information was ever accessed without authorization.”
However, the company admitted to Wired that Subaru employees can still use the system Curry and Shah explored to track customer cars.
“There are employees at Subaru of America, based on their job relevancy, who can access location data,” the company said. “All these individuals receive proper training and are required to sign appropriate privacy, security, and NDA agreements as needed.” The company says employees use the access to serve customers, such as notifying emergency services in the event of an accident.
A Web Service With Inadequate Security
In a blog post, the pair explain that they found the company’s MySubaru app watertight. “Everything seemed properly secured. There weren’t a lot of endpoints. The authorization worked really well,” they write.
But they were able to easily suss out the web address of a web portal Subaru uses to administer its Starlink in-vehicle infotainment systems. They found a backdoor way to reset passwords to the site and searched online for the email address of a Subaru employee to use as a login.
Incredibly, they didn’t need one. The login that worked for them was jdoe@subaru.com, which is almost certainly a testing address.
Resetting that password, they got administrative access.
They Could Start Cars, Honk Horns, and, More Importantly, See Location History
Once inside, the pair could access Subarus with just an owner’s last name and ZIP code, email address, phone number, or license plate. For ethical reasons, they used Curry’s mother’s Subaru with her permission.
Access to the site, Wired says, let Curry and Shah “unlock the car, honk its horn, and start its ignition, reassigning control of those features to any phone or computer they chose.” More frighteningly, “they could also track the Subaru’s location — not merely where it was at the moment but also where it had been for the entire year that his mother had owned it. The map of the car’s whereabouts was so accurate and detailed, Curry says, that he was able to see her doctor visits, the homes of the friends she visited, even which exact parking space his mother parked in every time she went to church.”
Curry told Wired, “There are a million ways you could weaponize this against someone.”
Researchers could also probe into customer accounts, the pair write, viewing their emergency contacts, physical address, and billing information (though not full credit card numbers).
Privacy Concerns Coming Up Regularly for Automakers
High-profile reports of security threats for drivers are now disturbingly common.
In 2023, privacy researchers from the Mozilla Foundation called cars the least secure product they had ever tested.
A 2024 New York Times report highlighted how abusive partners can easily use cars to track their victims.
That problem is legally complex enough that the auto industry itself has asked Congress to intervene.
Curry is not new to discovering vulnerabilities in cars. He was behind a 2022 effort that used SiriusXM to hack into cars from several companies and a 2023 project that showed how stalkers could use California’s digital license plates to track their victims.
We encourage readers to ensure that any web portals and apps they use to connect to their cars have two-factor identification enabled. But that wouldn’t have protected Subaru owners in this case, when the vulnerability involved an employee administrative portal.
Wired notes that the Consumer Federation of California has “sought to create legislation for limiting car’s data tracking.”