Security Flaws Expose Subaru’s Tracking System for Millions of Vehicles

A series of security vulnerabilities in Subaru's vehicle tracking system has raised significant privacy concerns. Security researchers Sam Curry and Shubham Shah uncovered flaws in the company's web portal that allowed them to remotely unlock and start vehicles, as well as access at least a year’s worth of location data for millions of Subaru cars equipped with the Starlink telematics system. The discovery was made during a personal project, revealing not just the ability to control vehicle features but also highly detailed tracking information, including the exact locations of user visits.

The flaws, which have since been patched, indicate that access to sensitive location data by Subaru employees was alarmingly unrestricted. During their testing, Curry and Shah discovered they could hijack employee accounts through a poorly secured password reset feature, enabling them to pull up any Subaru owner's detailed location history. The vulnerabilities exposed systemic failures within the company’s cybersecurity framework, echoing a growing trend of similar issues across numerous automotive manufacturers.

Subaru confirmed it had resolved these vulnerabilities and emphasized that no unauthorized access to customer information occurred. However, concerns linger regarding the extent of employee access to location data, which could be exploited for malicious purposes. This incident has ignited discussions about broader privacy issues within the automotive industry, where many carmakers lack adequate safeguards over the extensive data they collect from consumers.