Subaru Tracking Hack Raises Larger Privacy Questions

Subaru has since patched the issue, but questions remain

Subaru logo
Researchers raised security concerns over Subaru drivers' privacy.
Kiyoshi Ota/Bloomberg via Getty Images

Sam Curry’s social media bio describes him as a “bug bounty hunter.” So when he raises an alarm over a security vulnerability that affects Subarus in no less than three large countries, people pay attention. In a lengthy blog post, he describes the findings he and fellow security expert Shubham Shah reached when using Subaru’s Starlink system — issues that allowed Curry and Shah to track and even start vehicles remotely.

The security issue that Curry and Shah discovered meant that a hacker who had access to a driver’s “last name and ZIP code, email address, phone number, or license plate” could exploit this security vulnerability to obtain a wealth of significant information, from emergency contacts to location history — along with the ability to remotely start or lock the vehicle.

As WIRED‘s Andy Greenberg explained, Curry quickly realized that this issue could have wide-ranging implications. “Whether somebody’s cheating on their wife or getting an abortion or part of some political group, there are a million scenarios where you could weaponize this against someone,” he told WIRED.

The good news for privacy-conscious Subaru drivers is that Curry’s announcement of the security flaw comes momths after he and Shah notified Subaru about the issue. The automaker quickly took steps to patch the issue, meaning that some bad actor with hacking skills can no longer mess with your Outback.

Jaguar Delivered a Car of Tomorrow. Will the Marketing Sink It?
Our correspondent flew to Jaguar HQ to see the Type 00, an engineering success now being trampled by an online firestorm

Curry remains concerned over the wider implications of this security flaw, however. He raised two concerns to WIRED: the first being that Subaru’s employees can still gain access to this information. There’s a reason for that: having it on hand can help Subaru drivers with their automotive issues, but it does leave the door open for exploitation. Curry also stated his belief that similar vulnerabilities exist in other automakers’ systems — just waiting to be discovered.

The InsideHook Newsletter.

News, advice and insights for the most interesting person in the room.