A recent discovery by security researchers, Sam Curry and Shivang Shah, has exposed serious flaws in Subaru's tracking system for millions of cars. They reported these issues to Subaru in November, and the company quickly fixed the problem. However, the researchers warn that similar issues could still be lurking in other carmakers' systems.
The vulnerabilities in Subaru's Starlink service allowed unauthorized access to customer accounts. Even though this issue has been patched, Subaru employees can still track a year's worth of location data for any customer. This raises concerns about privacy, as customer movements can be monitored extensively.
Subaru acknowledged the issue and stated that the vulnerability was immediately closed. They also confirmed that employees with relevant jobs can access location data. This access is meant to help in cases like notifying first responders during collisions.
Curry and Shah found the flaws while exploring the administrative domain SubaruCS. com. They could reset employee passwords just by guessing email addresses. This allowed them to take over any employee's account and look up any Subaru owner's details. Within seconds, they could control features like unlocking cars, honking horns, and starting ignitions remotely.
The researchers emphasized that multiple systemic failures led to this security breach. They found it concerning that even with the patch, Subaru employees still have extensive access to location data.
