• Home
  • Motorcycles
  • Electric Motorcycles
  • 3 wheelers
  • FUV Electric 3 wheeler
  • Shop
  • Listings

Subscribe to Updates

Get the latest creative news from CycleNews about two, three wheelers and Electric vehicles.

What's Hot

Silicon Valley Is Starting to Pick Sides in Musk and Trump’s Breakup

Royal Enfield BTR Road Racing Road America Results, Coverage

Elon Musk’s Feud With President Trump Wipes $152 Billion Off Tesla’s Market Cap

Facebook Twitter Instagram
  • Home
  • Motorcycles
  • Electric Motorcycles
  • 3 wheelers
  • FUV Electric 3 wheeler
  • Shop
  • Listings
Facebook Twitter Instagram Pinterest
Cycle News
Submit Your Ad
Cycle News
You are at:Home » Subaru Security Flaws Exposed Its System for Tracking Millions of Cars
Electric Motorcycles

Subaru Security Flaws Exposed Its System for Tracking Millions of Cars

cycleBy cycleJanuary 23, 202503 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Email
Share
Facebook Twitter LinkedIn Pinterest Email


Curry and Shah reported their findings to Subaru in late November, and Subaru quickly patched its Starlink security flaws. But the researchers warn that the Subaru web vulnerabilities are just the latest in a long series of similar web-based flaws they and other security researchers working with them have found that have affected well over a dozen carmakers, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota, and many others. There’s little doubt, they say, that similarly serious hackable bugs exist in other auto companies’ web tools that have yet to be discovered.

In Subaru’s case, in particular, they also point out that their discovery hints at how pervasively those with access to Subaru’s portal can track its customers’ movements, a privacy issue that will last far longer than the web vulnerabilities that exposed it. “The thing is, even though this is patched, this functionality is still going to exist for Subaru employees,” Curry says. “It’s just normal functionality that an employee can pull up a year’s worth of your location history.”

When WIRED reached out to Subaru for comment on Curry and Shah’s findings, a spokesperson responded in a statement that “after being notified by independent security researchers, [Subaru] discovered a vulnerability in its Starlink service that could potentially allow a third party to access Starlink accounts. The vulnerability was immediately closed and no customer information was ever accessed without authorization.”

The Subaru spokesperson also confirmed to WIRED that “there are employees at Subaru of America, based on their job relevancy, who can access location data.” The company offered as an example that employees have that access to share a vehicle’s location with first responders in the case when a collision is detected. “All these individuals receive proper training and are required to sign appropriate privacy, security, and NDA agreements as needed,” Subaru’s statement added. “These systems have security monitoring solutions in place which are continually evolving to meet modern cyber threats.”

Responding to Subaru’s example of notifying first responders about a collision, Curry notes that would hardly require a year’s worth of location history. The company didn’t respond to WIRED asking how far back it keeps customers’ location histories and makes them available to employees.

Shah and Curry’s research that led them to the discovery of Subaru’s vulnerabilities began when they found that Curry’s mother’s Starlink app connected to the domain SubaruCS.com, which they realized was an administrative domain for employees. Scouring that site for security flaws, they found that they could reset employees’ passwords simply by guessing their email address, which gave them the ability to take over any employee’s account whose email they could find. The password reset functionality did ask for answers to two security questions, but they found that those answers were checked with code that ran locally in a user’s browser, not on Subaru’s server, allowing the safeguard to be easily bypassed. “There were really multiple systemic failures that led to this,” Shah says.

The two researchers say they found the email address for a Subaru Starlink developer on LinkedIn, took over the employee’s account, and immediately found that they could use that staffer’s access to look up any Subaru owner by last name, zip code, email address, phone number, or license plate to access their Starlink configurations. In seconds, they could then reassign control of the Starlink features of that user’s vehicle, including the ability to remotely unlock the car, honk its horn, start its ignition, or locate it, as shown in the video below.



Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleThe Global Far Right Is Celebrating Trump’s New World Order
Next Article The Proud Boys Are Plotting a Comeback. And They Want Revenge
cycle
  • Website

Related Posts

Silicon Valley Is Starting to Pick Sides in Musk and Trump’s Breakup

June 5, 2025

Elon Musk’s Feud With President Trump Wipes $152 Billion Off Tesla’s Market Cap

June 5, 2025

Elon Musk Is Posting Through It

June 5, 2025
Add A Comment

Leave A Reply Cancel Reply

You must be logged in to post a comment.

Demo
Top Posts

Silicon Valley Is Starting to Pick Sides in Musk and Trump’s Breakup

June 5, 2025

The urban electric commuter FUELL Fllow designed by Erik Buell is now opening orders | thepack.news | THE PACK

July 29, 2023

2024 Yamaha Ténéré 700 First Look [6 Fast Facts For ADV Riding]

July 29, 2023
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Latest Reviews

Subscribe to Updates

Get the latest tech news from FooBar about tech, design and biz.

Demo
Most Popular

Silicon Valley Is Starting to Pick Sides in Musk and Trump’s Breakup

June 5, 2025

The urban electric commuter FUELL Fllow designed by Erik Buell is now opening orders | thepack.news | THE PACK

July 29, 2023

2024 Yamaha Ténéré 700 First Look [6 Fast Facts For ADV Riding]

July 29, 2023
Our Picks

Your Boss’s Spyware Could Train AI to Replace You

Seen at EICMA 2024: innovative urban mobility with NAXEON I am. | thepack.news | THE PACK

How to Create Images With ChatGPT’s New Dall-E 3 Integration

Subscribe to Updates

Get the latest news from CycleNews about two, three wheelers and Electric vehicles.

© 2025 cyclenews.blog
  • Home
  • About us
  • Get In Touch
  • Shop
  • Listings
  • My Account
  • Submit Your Ad
  • Terms & Conditions
  • Stock Ticker

Type above and press Enter to search. Press Esc to cancel.