Subaru Starlink: Difference between revisions

(15 intermediate revisions by 11 users not shown)

Line 1:

{{~~InfoboxProductLine~~

''For the satellite {{wplink|internet service provider}}, see [[Starlink]].''

| ~~Title~~ = Subaru ~~Starlink~~

{{ProductLineCargo

| ~~Release Year~~ = ~~2013~~

|ArticleType=Service

| ~~Product Type~~ = ~~Software~~

|Category=Software

| ~~In Production~~ = ~~Yes~~

|Company=Subaru

| ~~Official~~ Website = https://subaru.com/

|Description=

~~| Logo = Subaru-starlink.png~~

|InProduction=Yes

|Logo=Subaru-starlink.png

|ReleaseYear=2013

|Website=https://subaru.com/

}}

Starlink is a connectivity service equipped on most modern [[Subaru]] vehicles, enabling extensive data collection from the vehicle and its occupants. The service has faced significant criticism and legal challenges over privacy concerns related to its data-collection and -sharing practices.<ref name="MozillaReview" />

==~~Overview~~==

==Incidents==

Starlink is a connectivity service equipped on most modern Subaru vehicles, enabling extensive data collection from the vehicle and its occupants. The service has faced significant criticism and legal challenges over privacy concerns related to its data-collection and -sharing practices.<ref name="MozillaReview" />

==~~Incident~~==

===Obstructive advertising===

~~The exploit was achieved by intercepting the~~ Starlink ~~app's network requests which revealed the admin portal login~~ screen~~. Using the~~ "~~Reset password~~" ~~feature~~ of the ~~admin portal which was hidden with javascript the hacker found an employee email off linkedin~~ and ~~successfully managed to login to~~ the ~~admin portal~~. ~~Although implementing 2FA this too was entirely client-side and~~ the ~~modal window blocking further interaction without verification could also be hidden with javascript~~.

Since at least 23-05-25<ref name=":0">{{Cite web |title=Just die already SiriusXM |url=https://www.reddit.com/r/subaru/comments/13rl630/just_die_already_siriusxm/ |archive-url=https://web.archive.org/web/20260222225614/https://old.reddit.com/r/subaru/comments/13rl630/just_die_already_siriusxm/ |archive-date=22 Feb 2026|access-date=2025-11-27 |website=Reddit}}</ref>, Subaru Starlink will sometimes display whole-screen advertisements for [[SiriusXM]] in vehicles with SiriusXM functionality<ref name=":0" />. Advertisements will display regardless of whether the customer purchased a SiriusXM subscription, and cannot be bypassed without explicitly pressing the close button. Normal system usage, such as GPS, media settings, or driving settings cannot be done until the advertisements are closed.

~~Inside the admin portal any employee had access~~ to a ~~range of personal information~~, ~~largely comprised of~~ the ~~personal information listed below. Additionally~~ the ~~employee~~ the ~~hacker had login as had level 2~~ access ~~allowing them to remotely lock~~, ~~unlock, honk, issue speeding warnings and more which they demonstrated~~ on ~~their own~~ and ~~a friend's~~ Subaru ~~car~~.

Users are only able to opt-out of this advertising if they have a SiriusXM subscription, which itself will require consent to additional telemetry from SiriusXM<ref>{{Cite web |date=2025-11-27 |title=SiriusXM Help & Support Center |url=https://listenercare.siriusxm.com/prweb/autoredirect/app/ExternalKM/help/SupportCenter/article/KC-383215/How-do-I-manage-pop-up-messages-inside-my-vehicle%3F |url-status=live |archive-url=http://web.archive.org/web/20260126212422/https://listenercare.siriusxm.com/prweb/autoredirect/app/ExternalKM/help/SupportCenter/article/KC-383215/How-do-I-manage-pop-up-messages-inside-my-vehicle%3F |archive-date=26 Jan 2026}}</ref>. Alternative recourse would involve manually uninstalling the telematics module or pulling the fuse powering the telematics module to disable connectivity. <ref>{{Cite web |date=2025-11-27 |title=No sound in front speakers / Mic is missing (Something with Starlink plugs?) - Resolved {{!}} Subaru Crosstrek and XV Forums |url=https://www.subaruxvforum.com/threads/no-sound-in-front-speakers-mic-is-missing-something-with-starlink-plugs-resolved.180778/ |archive-url=https://web.archive.org/web/20260126213325/https://www.subaruxvforum.com/threads/no-sound-in-front-speakers-mic-is-missing-something-with-starlink-plugs-resolved.180778/ |archive-date=26 Jan 2026 |access-date=2025-11-27 |website=Subaru Crosstrek and XV Forums}}</ref> However, this can disable front audio speakers on certain models due to the fuse powering both Starlink telematics and the front speakers<ref>{{Cite web |date=2020-03-02 |title=Disconnecting your telematics (Starlink) antenna {{!}} Subaru Outback Forums |url=https://www.subaruoutback.org/threads/disconnecting-your-telematics-starlink-antenna.519259/ |archive-url=https://web.archive.org/web/20230514174802/https://www.subaruoutback.org/threads/disconnecting-your-telematics-starlink-antenna.519259/ |archive-date=14 May 2023 |access-date=2025-11-27 |website=Subaru Outback Forums}}</ref>.

The incident was initially ethically disclosed to Subaru on 24-20-11 with a blog post detailing the exploit released on 25-23-01<ref>{{Cite web |last=Curry |first=Sam |date=23 Jan 2025 |title=Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel |url=https://samcurry.net/hacking-subaru |access-date=2025-02-19 |website=samcurry.net}}</ref>

===Starlink app exploit (''2025'')===

The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with [[JavaScript]] the hacker found an employee email off [[LinkedIn]] and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with JavaScript.

Inside the admin portal any employee can access a wide range of personal information, largely comprised of the personal information listed below. Additionally, if the employee has level 2 access, they can remotely lock, unlock, honk, issue speeding warnings and more which they demonstrated on their own and a friend's Subaru car.

The incident was initially ethically disclosed to Subaru on 24-20-11 with a blog post detailing the exploit released on 25-23-01.<ref>{{Cite web |last=Curry |first=Sam |date=23 Jan 2025 |title=Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel |url=https://samcurry.net/hacking-subaru |archive-url=http://web.archive.org/web/20251115022030/https://samcurry.net/hacking-subaru |archive-date=15 Nov 2025|access-date=2025-02-19 |website=samcurry.net}}</ref>

==Data collection==

===Types of data collected===

Subaru’s privacy policy and STARLINK terms of service specify that the following data may be collected:<ref name="SubaruPrivacy">{{Cite web |date= |title=Subaru Privacy Policy |url=https://www.subaru.com/support/privacy-policies.html |access-date=2025-01-16 |website=subaru.com}}</ref>

Subaru’s privacy policy and STARLINK terms of service specify that the following data may be collected:<ref name="SubaruPrivacy">{{Cite web |date= |title=Subaru Privacy Policy |url=https://www.subaru.com/support/privacy-policies.html |archive-url=https://web.archive.org/web/20250221075725/https://www.subaru.com/support/privacy-policies.html |archive-date=21 Feb 2025 |access-date=2025-01-16 |website=subaru.com}}</ref>

*'''Personal information'''

Line 42:

Line 50:

===Collection methods===

Data collection is performed through:

*Vehicle sensors and diagnostic modules.<ref name="MozillaReview">{{Cite web |last=Mozilla Research |first= |date=15 Aug 2023 |title=Mozilla Foundation Privacy Review: Subaru |url=https://foundation.mozilla.org/en/privacynotincluded/subaru/ |access-date=2025-01-16 |website=foundation.mozilla.org}}</ref>

*Vehicle sensors and diagnostic modules.<ref name="MozillaReview">{{Cite web |last=Mozilla Research |first= |date=15 Aug 2023 |title=Mozilla Foundation Privacy Review: Subaru |url=https://foundation.mozilla.org/en/privacynotincluded/subaru/ |archive-url=https://web.archive.org/web/20230906050929/https://foundation.mozilla.org/en/privacynotincluded/subaru/ |archive-date=6 Sep 2023 |access-date=2025-01-16 |website=foundation.mozilla.org}}</ref>

*GPS tracking systems.

*Cellular-connectivity modules.

Line 50:

Line 58:

===Third-party data sharing===

Subaru shares data with several entities, including:

*Data brokers, such as LexisNexis<ref name="SubaruPrivacy" /> and Verisk.<ref name="TorqueNews">{{Cite web |last=Flierl |first=Denis |date=21 May 2024 |title=Vehicle Data Collection Lawsuit |url=https://www.torquenews.com/1084/subaru-now-involved-vehicle-data-collection-lawsuit-investigation |access-date=2025-01-16 |website=torquenews.com}}</ref><ref name="NYT">{{Cite web |last=Hill |first=Kashmir |date=11 March 2024 |title=Automakers Are Sharing Drivers’ Data |url=https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html |access-date=2025-01-16 |website=nytimes.com}}</ref>

*Data brokers, such as LexisNexis<ref name="SubaruPrivacy" /> and Verisk.<ref name="TorqueNews">{{Cite web |last=Flierl |first=Denis |date=21 May 2024 |title=Vehicle Data Collection Lawsuit |url=https://www.torquenews.com/1084/subaru-now-involved-vehicle-data-collection-lawsuit-investigation |archive-url=http://web.archive.org/web/20250801220315/https://www.torquenews.com/1084/subaru-now-involved-vehicle-data-collection-lawsuit-investigation |archive-date=1 Aug 2025|access-date=2025-01-16 |website=torquenews.com}}</ref><ref name="NYT">{{Cite web |last=Hill |first=Kashmir |date=11 March 2024 |title=Automakers Are Sharing Drivers’ Data |url=https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html |archive-url=https://web.archive.org/web/20240311090514/https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html |archive-date=11 Mar 2024 |access-date=2025-01-16 |website=nytimes.com}}</ref>

*Insurance companies for risk assessment and pricing.<ref name="TorqueNews" />

*Marketing firms.

Line 73:

Line 81:

*Submitting detailed personal information.

*Potentially long response times.

*No verification mechanism for successful opt-out.<ref name="ConsumerForum">{{Cite web |date=26 Jan 2025 |title=Privacy Report Discussion |url=https://www.subaruoutback.org/threads/privacy-not-included-subaru-report-connected-services-etc.556583/ |access-date=2025-01-16 |website=subaruoutback.org}}</ref>

*No verification mechanism for successful opt-out.<ref name="ConsumerForum">{{Cite web |date=26 Jan 2025 |title=Privacy Report Discussion |url=https://www.subaruoutback.org/threads/privacy-not-included-subaru-report-connected-services-etc.556583/ |archive-url=https://web.archive.org/web/20250510152056/https://www.subaruoutback.org/threads/privacy-not-included-subaru-report-connected-services-etc.556583/ |archive-date=10 May 2025 |access-date=2025-01-16 |website=subaruoutback.org}}</ref>

===Legal challenges===

Line 86:

Line 94:

*Embedded telematics devices.

*4G LTE cellular networks.

*GPS receivers and cloud-based data-processing systems.<ref name="StarlinkTerms">{{Cite web |title=Subaru STARLINK Terms and Conditions |url=https://www.subaru.com/support/terms-and-conditions/subaru-starlink/subaru-starlink-services.html |access-date=2025-01-16 |website=subaru.com}}</ref>

*GPS receivers and cloud-based data-processing systems.<ref name="StarlinkTerms">{{Cite web |title=Subaru STARLINK Terms and Conditions |url=https://www.subaru.com/support/terms-and-conditions/subaru-starlink/subaru-starlink-services.html |archive-url=https://web.archive.org/web/20250708205238/https://www.subaru.com/support/terms-and-conditions/subaru-starlink/subaru-starlink-services.html |archive-date=8 Jul 2025 |access-date=2025-01-16 |website=subaru.com}}</ref>

===Data transmission===

Line 107:

Line 115:

[[Category:~~Automotive privacy]]~~

[[Category:{{PAGENAME}}]]

~~[[Category:Data collection]]~~

~~[[Category:Consumer rights~~]]

@@ Line 1: / Line 1: @@
-{{InfoboxProductLine
+''For the satellite {{wplink|internet service provider}}, see [[Starlink]].''
-| Title = Subaru Starlink
+{{ProductLineCargo
-| Release Year = 2013
+|ArticleType=Service
-| Product Type = Software
+|Category=Software
-| In Production = Yes
+|Company=Subaru
-| Official Website = https://subaru.com/
+|Description=
-| Logo = Subaru-starlink.png
+|InProduction=Yes
+|Logo=Subaru-starlink.png
+|ReleaseYear=2013
+|Website=https://subaru.com/
 }}
+Starlink is a connectivity service equipped on most modern [[Subaru]] vehicles, enabling extensive data collection from the vehicle and its occupants. The service has faced significant criticism and legal challenges over privacy concerns related to its data-collection and -sharing practices.<ref name="MozillaReview" />
-==Overview==
+==Incidents==
-Starlink is a connectivity service equipped on most modern Subaru vehicles, enabling extensive data collection from the vehicle and its occupants. The service has faced significant criticism and legal challenges over privacy concerns related to its data-collection and -sharing practices.<ref name="MozillaReview" />
-==Incident==
+===Obstructive advertising===
-The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with javascript the hacker found an employee email off linkedin and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with javascript.
+Since at least 23-05-25<ref name=":0">{{Cite web |title=Just die already SiriusXM |url=https://www.reddit.com/r/subaru/comments/13rl630/just_die_already_siriusxm/ |archive-url=https://web.archive.org/web/20260222225614/https://old.reddit.com/r/subaru/comments/13rl630/just_die_already_siriusxm/ |archive-date=22 Feb 2026|access-date=2025-11-27 |website=Reddit}}</ref>, Subaru Starlink will sometimes display whole-screen advertisements for [[SiriusXM]] in vehicles with SiriusXM functionality<ref name=":0" />. Advertisements will display regardless of whether the customer purchased a SiriusXM subscription, and cannot be bypassed without explicitly pressing the close button. Normal system usage, such as GPS, media settings, or driving settings cannot be done until the advertisements are closed.
-Inside the admin portal any employee had access to a range of personal information, largely comprised of the personal information listed below. Additionally the employee the hacker had login as had level 2 access allowing them to remotely lock, unlock, honk, issue speeding warnings and more which they demonstrated on their own and a friend's Subaru car.
+Users are only able to opt-out of this advertising if they have a SiriusXM subscription, which itself will require consent to additional telemetry from SiriusXM<ref>{{Cite web |date=2025-11-27 |title=SiriusXM Help & Support Center |url=https://listenercare.siriusxm.com/prweb/autoredirect/app/ExternalKM/help/SupportCenter/article/KC-383215/How-do-I-manage-pop-up-messages-inside-my-vehicle%3F |url-status=live |archive-url=http://web.archive.org/web/20260126212422/https://listenercare.siriusxm.com/prweb/autoredirect/app/ExternalKM/help/SupportCenter/article/KC-383215/How-do-I-manage-pop-up-messages-inside-my-vehicle%3F |archive-date=26 Jan 2026}}</ref>. Alternative recourse would involve manually uninstalling the telematics module or pulling the fuse powering the telematics module to disable connectivity. <ref>{{Cite web |date=2025-11-27 |title=No sound in front speakers / Mic is missing (Something with Starlink plugs?) - Resolved {{!}} Subaru Crosstrek and XV Forums |url=https://www.subaruxvforum.com/threads/no-sound-in-front-speakers-mic-is-missing-something-with-starlink-plugs-resolved.180778/ |archive-url=https://web.archive.org/web/20260126213325/https://www.subaruxvforum.com/threads/no-sound-in-front-speakers-mic-is-missing-something-with-starlink-plugs-resolved.180778/ |archive-date=26 Jan 2026 |access-date=2025-11-27 |website=Subaru Crosstrek and XV Forums}}</ref> However, this can disable front audio speakers on certain models due to the fuse powering both Starlink telematics and the front speakers<ref>{{Cite web |date=2020-03-02 |title=Disconnecting your telematics (Starlink) antenna {{!}} Subaru Outback Forums |url=https://www.subaruoutback.org/threads/disconnecting-your-telematics-starlink-antenna.519259/ |archive-url=https://web.archive.org/web/20230514174802/https://www.subaruoutback.org/threads/disconnecting-your-telematics-starlink-antenna.519259/ |archive-date=14 May 2023 |access-date=2025-11-27 |website=Subaru Outback Forums}}</ref>.
-The incident was initially ethically disclosed to Subaru on 24-20-11 with a blog post detailing the exploit released on 25-23-01<ref>{{Cite web |last=Curry |first=Sam |date=23 Jan 2025 |title=Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel |url=https://samcurry.net/hacking-subaru |access-date=2025-02-19 |website=samcurry.net}}</ref>
+===Starlink app exploit (''2025'')===
+The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with [[JavaScript]] the hacker found an employee email off [[LinkedIn]] and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with JavaScript.
+Inside the admin portal any employee can access a wide range of personal information, largely comprised of the personal information listed below. Additionally, if the employee has level 2 access, they can remotely lock, unlock, honk, issue speeding warnings and more which they demonstrated on their own and a friend's Subaru car.
+The incident was initially ethically disclosed to Subaru on 24-20-11 with a blog post detailing the exploit released on 25-23-01.<ref>{{Cite web |last=Curry |first=Sam |date=23 Jan 2025 |title=Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel |url=https://samcurry.net/hacking-subaru |archive-url=http://web.archive.org/web/20251115022030/https://samcurry.net/hacking-subaru |archive-date=15 Nov 2025|access-date=2025-02-19 |website=samcurry.net}}</ref>
 ==Data collection==
 ===Types of data collected===
-Subaru’s privacy policy and STARLINK terms of service specify that the following data may be collected:<ref name="SubaruPrivacy">{{Cite web |date= |title=Subaru Privacy Policy |url=https://www.subaru.com/support/privacy-policies.html |access-date=2025-01-16 |website=subaru.com}}</ref>
+Subaru’s privacy policy and STARLINK terms of service specify that the following data may be collected:<ref name="SubaruPrivacy">{{Cite web |date= |title=Subaru Privacy Policy |url=https://www.subaru.com/support/privacy-policies.html |archive-url=https://web.archive.org/web/20250221075725/https://www.subaru.com/support/privacy-policies.html |archive-date=21 Feb 2025 |access-date=2025-01-16 |website=subaru.com}}</ref>
 *'''Personal information'''
@@ Line 42: / Line 50: @@
 ===Collection methods===
 Data collection is performed through:
-*Vehicle sensors and diagnostic modules.<ref name="MozillaReview">{{Cite web |last=Mozilla Research |first= |date=15 Aug 2023 |title=Mozilla Foundation Privacy Review: Subaru |url=https://foundation.mozilla.org/en/privacynotincluded/subaru/ |access-date=2025-01-16 |website=foundation.mozilla.org}}</ref>
+*Vehicle sensors and diagnostic modules.<ref name="MozillaReview">{{Cite web |last=Mozilla Research |first= |date=15 Aug 2023 |title=Mozilla Foundation Privacy Review: Subaru |url=https://foundation.mozilla.org/en/privacynotincluded/subaru/ |archive-url=https://web.archive.org/web/20230906050929/https://foundation.mozilla.org/en/privacynotincluded/subaru/ |archive-date=6 Sep 2023 |access-date=2025-01-16 |website=foundation.mozilla.org}}</ref>
 *GPS tracking systems.
 *Cellular-connectivity modules.
@@ Line 50: / Line 58: @@
 ===Third-party data sharing===
 Subaru shares data with several entities, including:
-*Data brokers, such as LexisNexis<ref name="SubaruPrivacy" /> and Verisk.<ref name="TorqueNews">{{Cite web |last=Flierl |first=Denis |date=21 May 2024 |title=Vehicle Data Collection Lawsuit |url=https://www.torquenews.com/1084/subaru-now-involved-vehicle-data-collection-lawsuit-investigation |access-date=2025-01-16 |website=torquenews.com}}</ref><ref name="NYT">{{Cite web |last=Hill |first=Kashmir |date=11 March 2024 |title=Automakers Are Sharing Drivers’ Data |url=https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html |access-date=2025-01-16 |website=nytimes.com}}</ref>
+*Data brokers, such as LexisNexis<ref name="SubaruPrivacy" /> and Verisk.<ref name="TorqueNews">{{Cite web |last=Flierl |first=Denis |date=21 May 2024 |title=Vehicle Data Collection Lawsuit |url=https://www.torquenews.com/1084/subaru-now-involved-vehicle-data-collection-lawsuit-investigation |archive-url=http://web.archive.org/web/20250801220315/https://www.torquenews.com/1084/subaru-now-involved-vehicle-data-collection-lawsuit-investigation |archive-date=1 Aug 2025|access-date=2025-01-16 |website=torquenews.com}}</ref><ref name="NYT">{{Cite web |last=Hill |first=Kashmir |date=11 March 2024 |title=Automakers Are Sharing Drivers’ Data |url=https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html |archive-url=https://web.archive.org/web/20240311090514/https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html |archive-date=11 Mar 2024 |access-date=2025-01-16 |website=nytimes.com}}</ref>
 *Insurance companies for risk assessment and pricing.<ref name="TorqueNews" />
 *Marketing firms.
@@ Line 73: / Line 81: @@
 *Submitting detailed personal information.
 *Potentially long response times.
-*No verification mechanism for successful opt-out.<ref name="ConsumerForum">{{Cite web |date=26 Jan 2025 |title=Privacy Report Discussion |url=https://www.subaruoutback.org/threads/privacy-not-included-subaru-report-connected-services-etc.556583/ |access-date=2025-01-16 |website=subaruoutback.org}}</ref>
+*No verification mechanism for successful opt-out.<ref name="ConsumerForum">{{Cite web |date=26 Jan 2025 |title=Privacy Report Discussion |url=https://www.subaruoutback.org/threads/privacy-not-included-subaru-report-connected-services-etc.556583/ |archive-url=https://web.archive.org/web/20250510152056/https://www.subaruoutback.org/threads/privacy-not-included-subaru-report-connected-services-etc.556583/ |archive-date=10 May 2025 |access-date=2025-01-16 |website=subaruoutback.org}}</ref>
 ===Legal challenges===
@@ Line 86: / Line 94: @@
 *Embedded telematics devices.
 *4G LTE cellular networks.
-*GPS receivers and cloud-based data-processing systems.<ref name="StarlinkTerms">{{Cite web |title=Subaru STARLINK Terms and Conditions |url=https://www.subaru.com/support/terms-and-conditions/subaru-starlink/subaru-starlink-services.html |access-date=2025-01-16 |website=subaru.com}}</ref>
+*GPS receivers and cloud-based data-processing systems.<ref name="StarlinkTerms">{{Cite web |title=Subaru STARLINK Terms and Conditions |url=https://www.subaru.com/support/terms-and-conditions/subaru-starlink/subaru-starlink-services.html |archive-url=https://web.archive.org/web/20250708205238/https://www.subaru.com/support/terms-and-conditions/subaru-starlink/subaru-starlink-services.html |archive-date=8 Jul 2025 |access-date=2025-01-16 |website=subaru.com}}</ref>
 ===Data transmission===
@@ Line 107: / Line 115: @@
 <references />
-[[Category:Automotive privacy]]
+[[Category:{{PAGENAME}}]]
-[[Category:Data collection]]
-[[Category:Consumer rights]]