Security researchers uncover vulnerabilities in Subaru's location tracking habits

Independent security researchers just revealed how they discovered a troubling vulnerability in Subaru vehicles—and the company’s careful tracking of its customers’ location data.

Driving the news: Researchers Sam Curry and Shubham Shah uncovered the security flaw last November, roughly one year after Curry purchased a Subaru for his mother. While the company was quick to fix the issue, Curry and Shah explained their method of infiltrating the automaker’s data in a blog post published this Wednesday.

• After finding that the vehicle’s internet and remote access service, called Starlink (not related to SpaceX), connects to an admin website used by Subaru staff, Curry and Shah were able to log in to the website using an employee email found on LinkedIn.

• While the site used two-factor authentication, they were able to bypass this by changing the code in their browser as it was run locally rather than on Subaru’s server.

• Once accessing the portal, Curry found that they could reassign control of his mother’s car to any computer he had access to, allowing him to do anything from starting the vehicle to honking its horn.

• More concerningly, the researchers found that Subaru had stored the vehicle’s location data extending back about a year (around the time the vehicle was purchased), logging its position every time the ignition was started and while en route to a destination.

Zooming in: Curry and Shah notified Subaru of the flaw last November. Subaru quickly patched the vulnerability, but its employees can still access driver location data.

• In a response to an inquiry from WIRED, Subaru said the information allowed them to share vehicle locations with authorities in the case of an emergency and noted that employees with access to the data had received thorough training and signed NDAs.

• The company did not explain why the travel logs went back one year. While it could be even longer, it is unclear how long Subaru actually stores its buyers’ data, as the researchers only tested the vulnerability on one vehicle.

Zooming out: Privacy concerns in the auto industry aren’t relegated to Subaru, nor are they even relegated to automakers. Dealers can also collect data from customers by using GPS units often sold to buyers as anti-theft devices.

• Many regulations protecting consumers from invasive data collection practices don’t apply to the car industry, giving companies more freedom in how they obtain or use their customers’ information.

• This data can be used for a variety of purposes, well beyond Subaru’s example of contacting first responders. In one case, information ranging from vehicle speed to hard braking events collected by General Motors’ OnStar was used to deny insurance coverage to a Chevy Bolt owner. The owner was not subscribed to OnStar while it tracked his behavior.

Looking ahead: With consumers growing increasingly worried about their data privacy, the industry is running a risk of increased regulation and litigation. Companies will need to adopt transparent approaches if they hope to avoid losing trust.

Become an automotive insider in just 5 minutes.

Get the weekly email that delivers transparent insights into the car market.

Join 90,000+ others now, it's free:

Ikon Technologies was founded by dealers, for dealers, to solve the daily challenges your dealership faces.

Our no-cost Lot Management Platform, with Find the Car, Find the Keys™ technology, makes finding inventory easy, while our Dealer-branded Connect app drives customer loyalty and revenue.

At Ikon, we’re more than a tech provider—we’re your partner. Schedule a demo today to see how Ikon Technologies can help drive your dealership’s success.