Hacking Subaru: Tracking and controlling cars via the admin panel

Last year, I submitted a &quot;right to know&quot; request to Subaru, and they sent the following back. I&#x27;ve reformatted it for legibility. Basically asserts they&#x27;ll do and sell whatever they want (except another car to me).<p>&gt; Subaru may collect the following personal information about a consumer:<p>&gt; Categories of personal information:<p>&gt; Identifiers: Consumer records, Commercial information, Internet or Other Electronic Network Activity, Audio recordings, Vehicle geolocation, Professional or employee-related information, Inferences, Sensitive personal information<p>&gt; Categories of sources from which the personal information is collected: Retailers, i.e. authorized Subaru dealerships , Provided by consumer or vehicle, Third parties<p>&gt; Business or commercial purpose for which Subaru collects or sells personal information: To provide services to the consumer, To market goods and services to consumers, To provide marketing by third parties for third party goods and&#x2F;or services, To comply with legal obligation<p>&gt; Categories of third parties with whom the personal information is shared: Business service providers, Contractors, Retailers, Corporate parent and affiliates, Third party providers of goods and&#x2F;or services, Entities required to comply with the law<p>&gt; Categories of personal information sold: Identifiers for third party marketing of goods or services., Consumer records for third party marketing of goods or services<p>&gt; Categories of personal information disclosed for business purpose: Identifiers are disclosed to service providers, contractors, and third parties., Consumer records are disclosed to service providers, contractors, and third parties., Commercial information is disclosed to service providers, contractors, and third parties., Internet or other electronic information is disclosed to service providers, contractors, and third parties., Vehicle geolocation is disclosed to service providers., Inferences are disclosed to service providers and contractors., Sensitive personal information is disclosed to service providers and contractors.

Not surprised. I&#x27;ve had a few interactions with Subaru connected services dev team as an external contractor from another car company, everyone was everyone else&#x27;s cousin, friend, homeboy from India. Nepotism was rampant, no one wanted to listen to advice, a strong culture of corporate antibodies had formed. I&#x27;m surprised they even got it to work at this level.

Hah, them being able to bypass the 2FA by commenting-out the line:<p>$(&#x27;#securityQuestionModal&#x27;).modal(&#x27;show&#x27;);<p>is... mind-boggingly stupid of whoever got the job to write that Starlink web-app.<p>OTOH, the hacker hijacked a Starlink employee&#x27;s account to get in, isn&#x27;t that over the line in terms of &quot;ethical hacking&quot;&#x2F;legality standpoint?

&gt; I didn’t realize this data was being collected, but it seemed that we had agreed to the STARLINK enrollment when we purchased it.<p>This is mind blowing to me.. Number 1 why you need a car connected to the internet all the time ? And how you&#x27;re not required to sign at least 10 forms to confirm you understand that ALL of your travel data will be recorded and distributed at will.

I have a 2013 Outback Limited that is basically right before all this stuff got really stupid and weird. It&#x27;s a great car other than it&#x27;s not very fast <i>and</i> it gets really bad gas mileage. Amazing in the snow. I have had it since December 2012, so I&#x27;ve had plenty of service visits where I got newer loaners. (I special ordered my car to basically load it but not have Starlink, not have the Sunroof, but have the leather seats and the HK upgraded stereo.)<p>Every time I have gotten a newer Subaru as a loaner it strikes me that they are worse cars for all this new stuff. The user interface is horrible in the new ones. In a lot of cases they have a skeumorphic interface up on the touch screen that mimics the physical controls in my car! The actual physical controls are about 100x faster to operate and you quickly learn where the buttons are without looking.<p>I had an Ascent Onyx loaner last summer.. the entire touch screen UI looked like it was barely operating above 10fps. Just gross. Lots of the UI is black and white as well, not even tasteful grayscale. The Onyx I had also had the upgraded HK stereo and that is not as good as the one in my car as well, it sounded noticeably worse.<p>The electric steering on the new Subarus is terrible as well. My old Outback is not exactly a sports car but getting out of new one back into mine it feels like you&#x27;re getting into a Porsche or something when you feel the hydraulic steering. Engine&#x2F;Turbo lag on a lot of the new ones is gross as well.<p>This is of course even worse! My car only has 120k miles on it, I plan to keep it for another 4 years and then maybe give it to my kid when he gets his license. Somehow I doubt Subaru will have a competitive vehicle by then. For me to consider another one they&#x27;d really need to have an EV Outback&#x2F;Forester&#x2F;Ascent or a Hybrid version that gets at least 40mpg. And they need to fix all this horrible infotainment stuff in a way that the car operates better than a kids toy and actually drives well like an older Subaru. Also they need to get off the whole stupid thing with giant rims. It&#x27;s supposed to be a Subaru, it needs to have tires appropriate to going relatively fast on dirt roads.

FYI for Subaru owners, you can opt out and have your data deleted anywhere in the US (not just California): <a href="https:&#x2F;&#x2F;www.subaru.com&#x2F;support&#x2F;consumer-privacy.html" rel="nofollow">https:&#x2F;&#x2F;www.subaru.com&#x2F;support&#x2F;consumer-privacy.html</a><p>It&#x27;ll take ~6 months or so, but they will send you a confirmation email.

I wish that keeping this much data was a liability. I want companies to be liable for damages in the millions of dollars if they share an entire year&#x27;s worth of location data without express permission from the vehicle owner. HIPAA for &quot;just&quot; PII.

As a DevSecOps&#x2F;SRE whatever, I just gotta give props to the Subaru team for getting it patched within 24 hours. While it&#x27;s just a small internal admin dashboard without real customer usage, the fact they acknowledged and fixed the issue so quickly speaks well of at least that part of Subaru IT.

Question, if you can remote start a subaru with starlink, does that mean I could start my car from the command line during winter??? I don&#x27;t pay for starlink, never really looked into it, but it sounds cheaper than installing a remote start system lol.

Having developed back end portals like this one for much smaller companies I find it hard to believe that there is an open endpoint to reset a password without any type of verification. What goes wrong in development that this type of crap makes it to production?

This claims to bypass the telematics functionality:<p><a href="https:&#x2F;&#x2F;www.autoharnesshouse.com&#x2F;69018.html" rel="nofollow">https:&#x2F;&#x2F;www.autoharnesshouse.com&#x2F;69018.html</a><p>&gt; Note for customers retaining OEM headunit: This adapter can also be used for those wishing to remove&#x2F;disable the OEM Subaru Telematics functions. This is done to eliminate the tracking cabability that Subaru has built into these vehicles. If this is you, we will need to add an additional part to this adapter to re-enable the bluetooth microphone. Please purchase the option 2 adapter near the bottom of this page for this situation.

&gt; After reporting the vulnerability, the affected system was patched within 24 hours and <i>never exploited maliciously</i>.<p>How did they verify the never exploited maliciously part?<p>Did the person who&#x27;s password they changed ever notice that their password didn&#x27;t work any more and report the problem?

This is even worse than the VW data leak reported around a month ago. [1]<p>[1] <a href="https:&#x2F;&#x2F;media.ccc.de&#x2F;v&#x2F;38c3-wir-wissen-wo-dein-auto-steht-volksdaten-von-volkswagen" rel="nofollow">https:&#x2F;&#x2F;media.ccc.de&#x2F;v&#x2F;38c3-wir-wissen-wo-dein-auto-steht-vo...</a>

This really reinforces my aversion to internet connected cars. They used one to kill Michael Hastings.

Buying a car that is connected to the internet sounds horrific.

Imagine that manufacturer can do that without any hacks and your knowledge about data collecting. Now imagine that you sell those cars to foreign countries that your government consider as enemy. I&#x27;m curious when there will be some ban of car brand, like TikTok.

Is anyone aware of a list of affected models posted anywhere? All 2015+ models?<p>Obviously the ability to pull up account history, previous owners, etc. is applicable to anyone with a Subaru.<p>But I&#x27;m curious if location history shows up for people that have Subarus and never registered Starlink&#x2F;never used the app. The author says:<p>&gt;<i>but it seemed that we had agreed to the STARLINK enrollment when we purchased it.</i><p>But it&#x27;s not clear to me whether &quot;it&quot; refers to purchasing Starlink or purchasing the vehicle.

How do you disable this in a Subaru? Can you tell Subaru to turn it off or is there a low-effort way to disable it (fuse pull)?

Well this is why there should be a custom local app that is not web accessible. Desktop apps and CLIs have there advantages, and this is one.

Did users have to explicitly sign up for Starlink in order to enable tracking? Or is that the default behavior for all new Subarus?<p>And, can this tracking be deactivated? I have a Mazda, and it required a phone call to Mazda to get it disabled.

Luckily, in right to repair states, Such as Massachusetts, Subaru chose to disable Starlink altogether instead of making Support documentation available under the law.

I live in the city so I&#x27;ve never owned a car, but would like to get one at some point. I&#x27;d want at least a plug-in hybrid, if not full electric, and absolutely no internet connectivity or tracking (or at least something that can be physically removed).<p>Is there even a single (new) car that fits this criteria?

Excellent write-up!<p>However a much better title would have been &quot;Hacking Subaru: FEEL THE FREEDOM&quot;<p><a href="https:&#x2F;&#x2F;trademarks.justia.com&#x2F;owners&#x2F;subaru-of-new-england-inc-2006774&#x2F;" rel="nofollow">https:&#x2F;&#x2F;trademarks.justia.com&#x2F;owners&#x2F;subaru-of-new-england-i...</a>

A shocking thing about Subaru cars with Starlink (their infotainment system and connected service for things like remote start) is how deep the violation of privacy is. For example they share your location data with Sirius XM by default, unless you go deep in their menus to realize it’s even happening and opt out. They bury the consent in fine print that you fly through at the dealership. Truly a despicable company.

I love the variety of tooling and joining the dots to complete this attack: dns + scanning + human factors research + html bypass on the admin site itself...

tfw your car is also an always-online computer running proprietary software you have no control over ... and that software is written by people who think you can block login with a modal overlay, and who make a public-facing API call that resets a password with nothing more than the account&#x27;s email address...

&gt; it seemed that we had agreed to the STARLINK enrollment when we purchased it.<p>Related to the GM ban <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42734260">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42734260</a>

Slightly off topic: How are recent Mazda&#x27;s in regard to all of this stuff? They were not included in that Mozilla privacy expose and I have a CX on my short list for this spring.

Would the remote &#x27;stop&#x27; stop a moving car? It&#x27;s scary to think that someone could have easily used this basic exploit to stop all the affected vehicles on the road.

Is there a way to prevent the car from connecting to this service?

That&#x27;s it... I&#x27;m not buying a car with any internet connection unless I can rip it out. And every day that&#x27;s going to get harder.<p>Guess I&#x27;ll stick with old Kai Vans...

All this is pretty cool. It&#x27;s a pity there&#x27;s no way to just extract it yourself for yourself. I like all these features and have an older Subaru.

No bounty for such a big vulnerability is unbelievable.

There are a striking number of stories in this thread of incompetence and unethical behavior on the part of Subaru, and it makes me sad that the company has turned into such a wreck. Maybe they were always run this way but older technology didn&#x27;t allow them to be quite so scummy.<p>I bought a Subaru in the aughts that I absolutely loved and had assumed my next car would be from the same company. But when I test drove and looked into a new model I was shocked at how many terrible changes had been made, and I didn&#x27;t even uncover half of what is in this thread.<p>I&#x27;m not holding my breath, but hopefully the bad press affects sales enough to make the people running this company care and alter their behavior. The mechanical cars themselves are still nice to drive, but the terrible interfaces, obscene amount of spying, and intrusively unethical behavior really kill the experience.

For those who might not read the article, note that “Starlink” is not the SpaceX service. It’s an internal name for a Subaru customer service web app.

Good god. This is why I will continue to repair my older car until it&#x27;s completely infeasible to do so. Then what? Are there internet communities out there actively working on disabling all this nonsense? Can&#x27;t imagine buying a car like this without knowing I can physically disable the cell modem.

What a shitshow!

&gt; After reporting the vulnerability, the affected system was patched within 24 hours and never exploited maliciously.<p>So &#x27;only&#x27; Subaru, Starlink, their business and advertising partners, and law enforcement, can remotely track (and disable - don&#x27;t think you can run from the law!) your car?<p>&gt; I didn’t realize this data was being collected, but it seemed that we had agreed to the STARLINK enrollment when we purchased it.<p>Assuming it&#x27;s possible to not agree to it - does that completely disable the system, or is everyone with a Subaru just one warrant away from getting locked in their car until the police can come to arrest them? Does the car still store (I&#x27;m charitably assuming it doesn&#x27;t transmit) location data, so all your friends can retroactively be identified and arrested as well, even if you never agreed to any tracking?<p>(To get ahead of the usual retort - haha yes, phones also track this data, therefore let&#x27;s not fix any problems unless we can fix all of them at the same time. But actually let&#x27;s use the other problems as an excuse to do nothing.)

Yet another example of why I don&#x27;t own or drive vehicles from this stupid century.