A hot potato: Security researchers have uncovered alarming vulnerabilities in Subaru's Starlink system, potentially exposing millions of vehicles to unauthorized access and extensive location tracking. While Subaru has said that it doesn't sell location data, the potential for misuse is a significant concern. The discovery began when Sam Curry, having purchased a 2023 Impreza for his mother, decided to examine its internet-connected features during a Thanksgiving visit.Curry and fellow researcher Shubham Shah found they could hijack control of various vehicle functions, including unlocking doors, honking the horn, and starting the ignition. However, what Curry found most disturbing was the ability to access detailed location history. "You can retrieve at least a year's worth of location history for the car, where it's pinged precisely, sometimes multiple times a day," Curry told Wired. He added, "Whether somebody's cheating on their wife or getting an abortion or part of some political group, there are a million scenarios where you could weaponize this against someone."The researchers began by identifying a weakness in the password reset functionality on the SubaruCS.com site, an administrative portal intended for Subaru employees. By simply guessing an employee's email address, they could initiate a password reset process, exposing a critical flaw in the system's design.Further investigation revealed that while the site did ask for answers to two security questions during the reset process, these were verified using client-side code running in the user's browser rather than on Subaru's servers. This oversight allowed the researchers to easily bypass the security questions, highlighting a significant lapse in the company's cybersecurity measures. "There were really multiple systemic failures that led to this," Shah told Wired.Curry and Shah then used LinkedIn to locate the email address of a Subaru Starlink developer, exploiting the vulnerabilities to take over this employee's account, which granted them access to sensitive information and controls. The compromised account allowed the pair to look up any Subaru owner using various personal identifiers such as last name, zip code, email address, phone number, or license plate. // Related StoriesMoreover, they discovered that they could access and modify Starlink configurations for any vehicle, as well as reassign control of Starlink features. This included the ability to remotely unlock cars, honk horns, start ignitions, and locate vehicles.Most alarmingly, Curry and Shah gained access to detailed location histories of vehicles, with data going back at least a year. "You can retrieve at least a year's worth of location history for the car, where it's pinged precisely, sometimes multiple times a day," Curry explained to Wired.Subaru quickly patched the security flaws after the researchers reported their findings in late November. However, the incident raises broader concerns about privacy and data security in the automotive industry. The researchers warn that similar vulnerabilities likely exist in other automakers' systems.A Subaru spokesperson confirmed to Wired that certain employees can access location data, stating that it's necessary for purposes such as sharing vehicle location with first responders in case of collisions. "All these individuals receive proper training and are required to sign appropriate privacy, security, and NDA agreements as needed," the company said. It also said it doesn't sell location data.The discovery is part of a larger trend of security vulnerabilities in connected vehicles. Curry and other researchers have previously identified similar issues affecting multiple car manufacturers, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, and Toyota.This incident underscores the growing privacy concerns surrounding modern vehicles. A recent report by the Mozilla Foundation highlighted that 92 percent of car manufacturers give owners little to no control over collected data, and 84 percent reserve the right to sell or share this information.