Researchers Sam Curry and Shubham Shah identified critical vulnerabilities in Subaru’s Starlink-connected vehicles, particularly affecting the 2023 Subaru Impreza.
These flaws allowed unauthorized individuals to access and control various vehicle functions remotely, posing significant security and privacy risks.
Exploiting the Vulnerability
The researchers discovered that by exploiting weaknesses in Subaru’s web portal, they could hijack an employee’s account through a simple password reset. This breach granted them the ability to:
- Unlock the car
- Honk the horn
- Start the ignition
- Access detailed location data
Alarmingly, they could retrieve up to a year’s worth of location history, pinpointing exact parking spots and travel routes.
Subaru’s Response
Upon being informed, Subaru promptly addressed and patched the vulnerabilities in their employee portal. The company emphasized that collecting location data is essential for assisting with emergencies and tracking stolen vehicles.
However, the extent of data collection has raised concerns among cybersecurity experts.
Broader Implications for the Automotive Industry
This incident underscores a more extensive issue within the automotive sector. Modern vehicles, equipped with advanced connectivity features, are increasingly susceptible to cyberattacks.
Similar vulnerabilities have been identified in other major brands, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, and Toyota.
A 2023 report by Mozilla highlighted that many cars collect more data than necessary, often without clear options for users to opt out. This data is sometimes sold to third parties without the user’s knowledge, leading to significant privacy invasions.
The Path Forward
As vehicles become more interconnected, the importance of robust cybersecurity measures cannot be overstated. Automotive manufacturers must prioritize the protection of user data and ensure that their systems are resilient against potential cyber threats.
Continuous monitoring, regular security audits, and transparent data practices are essential steps toward safeguarding the future of connected transportation.