Subaru’s Shocking Security Flaw Exposed: Hackers Could Track Your Every Move and Unlock Your Car

Subaru recently faced scrutiny after security vulnerabilities were discovered in their Starlink system, allowing hackers to gain remote control of various vehicle functions and track the movements of millions of cars. These flaws revealed serious security gaps, not just in car functionality, but in the tracking of a vehicle’s location history, raising alarms over privacy risks.

The issue came to light after security researcher Sam Curry purchased a 2023 Subaru Impreza for his mother. In November, during a visit home for Thanksgiving, Curry began examining the car's connected features. Alongside fellow researcher Shubham Shah, Curry identified critical flaws in Subaru's Starlink web portal. These flaws enabled them to remotely control features like unlocking the car, honking its horn, and starting the engine from any phone or computer. Most concerning, however, was their ability to access detailed location data from the vehicle—tracking its movements for up to a year. This information included sensitive details such as the locations of doctor appointments, friends' homes, and even the exact parking spot used during regular activities, like attending church.

After reporting the issue to Subaru, the company quickly patched the security vulnerabilities. However, experts suggest that Subaru's case may be just the tip of the iceberg, as similar web-based flaws have been found in other automakers’ systems. Brands like Toyota, Honda, Hyundai, and BMW have faced similar security challenges. Researchers worry that these kinds of vulnerabilities are widespread, leaving millions of cars at risk of remote manipulation and unauthorized tracking.

What makes Subaru’s issue particularly concerning is the extent of the location data that can be accessed by employees. While the vulnerabilities have been fixed, employees with certain roles still have access to detailed location histories. Subaru confirmed that some staff members can view location data, such as when first responders are notified about accidents. Yet, questions remain about how long this data is stored and how easily it can be accessed by employees outside of emergency situations. For example, Subaru did not clarify how far back it retains location histories or whether this information can be accessed for other purposes.

The revelations highlight an ongoing, systemic problem in the automotive industry: the increasing amount of personal data collected by vehicles and the insufficient safeguards protecting it. Cars are becoming more connected and data-driven, collecting vast amounts of information on drivers, from locations to driving habits. While the industry focuses on innovation and convenience, there’s a growing concern about the lack of transparency regarding data usage and privacy.

This issue also underscores the need for stronger privacy protections in the automotive sector, as vehicles today are capable of tracking much more than just basic navigation. In recent years, security researchers have found vulnerabilities across multiple manufacturers, showing that no one is immune to the risks of data breaches in the car industry. Consumers, unaware of the vast amount of data their vehicles collect, are at risk of having their personal movements tracked, potentially leading to privacy violations or misuse of information.

As car manufacturers continue to integrate more sophisticated technology into vehicles, the question remains whether they will take the necessary steps to protect consumer data and ensure security features are robust enough to protect against hackers and misuse. While Subaru has patched the specific vulnerabilities related to the Starlink system, the broader issue of how personal data is handled by automakers remains an ongoing challenge that must be addressed by the industry as a whole. Until such privacy issues are addressed, drivers should remain cautious about how much personal data their cars are collecting and who has access to it.