Subaru security vulnerability exposed millions of cars to tracking risks

Two security researchers discovered a security vulnerability in Subaru’s Starlink-connected vehicles last year that gave them “unrestricted targeted access to all vehicles and customer accounts” across the U.S., Canada, and Japan, according to a Wired report.

The researchers, Sam Curry and Shubham Shah, alerted the Japanese automaker to the flaws in November and they were quickly fixed. Subaru told Wired that “after being notified by independent security researchers, [Subaru] discovered a vulnerability in its Starlink service that could potentially allow a third party to access Starlink accounts. The vulnerability was immediately closed and no customer information was ever accessed without authorization.”

The researchers said that a hacker who only knew the car owner’s last name and ZIP code, email address, phone number, or license plate could remotely start, stop, lock, unlock, and retrieve the current vehicle, retrieve any vehicle’s complete location history from the past year, and find personally identifiable information of any customer.

Curry and Shah said that similar web-based flaws have been found in several other carmakers, including Kia, Honda, and Toyota.

While Curry and Shah acknowledged the security fixes, they warned that simply patching security updates after issues were found isn’t enough to remedy the more pervasive issue of privacy in the automotive industry. And even if those vulnerabilities are all remedied, employees still have access to location data.

“You can retrieve at least a year’s worth of location history for the car, where it’s pinged precisely, sometimes multiple times a day,” Curry told Wired. “Whether somebody’s cheating on their wife or getting an abortion or part of some political group, there are a million scenarios where you could weaponize this against someone.”

https://www.fastcompany.com/91266251/subaru-security-vulnerability-exposed-millions-of-cars-to-tracking-risks?partner=rss&utm_source=rss&utm_medium=feed&utm_campaign=rss+fastcompany&utm_content=rss

Created 5mo | Jan 23, 2025, 9:10:03 PM

Other posts in this group

Here’s what Trump’s ‘big, beautiful bill’ means for AI

The Republican Party’s 800-page One Big Beautiful Bill Act is now being debated i

Jul 1, 2025, 12:10:04 AM | Fast company - tech

Colombian gangs are using social media to recruit children, the U.N. warns

Colombian gangs are using social media to reach and recruit children, the United Nations has warned.

Gangs and rebel groups are enticing children to enlist by posting videos on platforms

Jun 30, 2025, 9:50:02 PM | Fast company - tech

Senate debates revised state AI regulation ban

Two key U.S. Republican senators agreed to a revised federal moratorium on state regulation of

Jun 30, 2025, 7:30:04 PM | Fast company - tech

Cato Networks secures $359 million in latest funding round

Israel’s Cato Networks said on Monday it had raised $359 million in a funding round, valuing the cybersecurity firm at more than $4.8 billion, as investors bet on growing demand for

Jun 30, 2025, 7:30:03 PM | Fast company - tech

Is this Hollywood’s moment of AI reckoning?

For some in Hollywood, as Silicon Valley’s AI models have become impos

Jun 30, 2025, 5:10:08 PM | Fast company - tech

Startups are ditching LinkedIn for TikTok to announce funding rounds

The classic funding announcement post is getting the Gen Z treatment.

More startups, especially those led by young founders, are moving away from LinkedIn posts or X threads and turning

Jun 30, 2025, 5:10:07 PM | Fast company - tech

The sneaky way to to deal with public Wi-Fi restrictions

On a recent flight home to Cincinnati, I found myself in a Wi-Fi pickle.

Delta was offering free in-flight Wi-Fi for all SkyMiles members, but only after logging in through a web page. T

Jun 30, 2025, 12:30:05 PM | Fast company - tech

Tomas_r2