We live in a new, technologically focused era, where computing power surpassing many of the largest supercomputers of the past is not only readily accessible in consumer-grade products but can also be shrunk into a form that fits in your book bag and your pockets.Â
Car designers often adopt some of these new technologies. In a speech in February 2024, former U.S. President Joe Biden described modern-day cars as “smartphones on wheels,” and there is no doubting otherwise.
💰💸 Don’t miss the move: SIGN UP for TheStreet’s FREE Daily newsletter 💰💸
From best-selling models from Ford to the ultra-exclusive, racing-bred luxury sports cars by Ferrari, many of the cars available today come with a “connected app” that allows owners to control their cars as if they’re some sort of James Bond.Â
Sure, we are worlds away from having the same Q-level functions that Pierce Brosnan had with the BMW 750iL in the 1997 film Tomorrow Never Dies, but the ability to start, stop, lock, unlock and track your car’s location from a smartphone is a selling feature emphasized by many contemporary automakers. In a new ad campaign, actor Antonio Banderas shows off that Mercedes-Benz cars can “learn” your daily habits.Â
However, there is a downside to all this technological stuff, as personal data becomes as valuable as gold to the right people; whether it be law enforcement, insurance companies or nefarious characters.Â
According to a blog post by a known “ethical hacker,” a security vulnerability left open by one popular automaker could have had serious implications for its drivers.
Subaru vehicles feature a robust technology suite but there are concerns about data privacy.Â
Subaru
A security researcher exposed a hole in Subaru’s connected-car service
On January 23, security researcher and ethical hacker Sam Curry wrote in a blog post published that he and a partner were able to find a vulnerability within Subaru’s Starlink system, the connected-car services suite offered by the automaker.Â
According to Subaru, the Starlink suite has two different functions within the car. STARLINK Multimedia powers the infotainment system of equipped Subaru cars, providing drivers with features like Android Auto and Apple Carplay as well as in-car navigation, while STARLINK Safety and Security provides features like collision detection, roadside assistance, and stolen vehicle recovery.Â
In addition, Subaru offers its owners the convenience of a smartphone application called MySubaru, which allows drivers with equipped vehicles to start their Subarus remotely and access other functions and vehicle data.
According to Curry, he and his partner were able to gain access to Subaru’s Starlink through a hole they found within the administrator console. With this kind of access, the duo said that they and/or other hackers were able to compromise the accounts of Subaru employees and gain administrative access to the system.Â
More Automotive:
Carvana under fire: Research report claims turnaround is a “mirage”Trump’s trade policies may ruin this emerging new car segmentFrugal motorists are giving lube and tire shops a tough fight
By gaining administrative access, Curry, Shah and/or other more nefarious hackers essentially had a “master key” to virtually every Starlink-equipped Subaru vehicle in the U.S., Canada and Japan; allowing them access to a virtual treasure trove of critical, valuable data and important remote functions.
What Curry and Shah discovered was that if the wrong person were to find just one piece of information, such as the first and last name of a Subaru owner, an address, the license plate number and/or Vehicle Identification Number could have had the ability to track the location data of a specific car for up to a year.Â
In addition, they found that they had access to the same functions as the MySubaru app: the ability remotely lock, unlock, start-up, and shut down someone else’s Subaru without the owner having to reach for their keys.
To see if what they found actually worked, Curry wrote that they reached out to a friend who owned a Subaru equipped with the same connected services to see if they “could hack her car to demonstrate that there was no pre-requisite or feature which would’ve actually prevented a full vehicle takeover.”
After sending just the details of her license plate number, Curry was able to make himself an “authorized user” of the car and demonstrated to them that they were able to play with its functions, even while the keys are in the owner’s hands.Â
“Afterwards, she confirmed that she did not receive any notification, text message, or email after we added ourselves as an authorized user and unlocked her car,” Curry said in his blog post.
Related: Mercedes’ star-studded new ad showcases a real privacy nightmare
In their blog post, Curry wrote that Subaru has patched this vulnerability back in November 2024, when he discovered it and shared it with the automaker. However, in Curry’s past blog posts, the security specialist found similar vulnerabilities with other automakers, including Acura, Honda, Ferrari, Hyundai, Kia, Toyota, and others.
Data collection by automakers has been a rising concern, as the automotive industry carries a tattered record regarding data privacy and security.
Within its privacy policy accessible online, Subaru warns that the transmission of personal data from owners’ cars to its own servers “is not 100% secure” and that owners transmit data “at their own risk.” However, it does its best to “ensure security” on its systems.
“Subaru uses secure server software and firewalls designed to protect your Personal Information from unauthorized access, disclosure, alteration, or destruction,” Subaru says in its privacy policy. “However, please note that this is not a guarantee that such Personal Information may not be accessed, disclosed, altered, or destroyed by breach of such firewalls and secure server software.”
In a statement to TheStreet, a representative from Subaru of America denoted that no “Starlink customer accounts were not accessed or compromised” and that Curry and Shah “received authorization from their friends and family to access their information.”
“Subaru of America does not sell location data,” Subaru told TheStreet. “It is only shared with law enforcement or emergency responders in compliance with legal requirements or in emergencies where there is an imminent risk of harm.”
