Subaru Starlink: Difference between revisions

(3 intermediate revisions by 2 users not shown)

Line 10:

|Website=https://subaru.com/

}}

Starlink is a connectivity service equipped on most modern Subaru vehicles, enabling extensive data collection from the vehicle and its occupants. The service has faced significant criticism and legal challenges over privacy concerns related to its data-collection and -sharing practices.<ref name="MozillaReview" />

Starlink is a connectivity service equipped on most modern [[Subaru]] vehicles, enabling extensive data collection from the vehicle and its occupants. The service has faced significant criticism and legal challenges over privacy concerns related to its data-collection and -sharing practices.<ref name="MozillaReview" />

==Incidents==

===Obstructive advertising===

Since at least 23-05-25<ref name=":0">{{Cite web |title=Just die already SiriusXM |url=https://www.reddit.com/r/subaru/comments/13rl630/just_die_already_siriusxm/ |archive-url=https://archive.ph/~~xzpun~~ |archive-date=~~26 Jan~~ 2026 |access-date=2025-11-27 |website=Reddit}}</ref>, Subaru Starlink will sometimes display whole-screen advertisements for [[SiriusXM]] in vehicles with SiriusXM functionality<ref name=":0" />. Advertisements will display regardless of whether the customer purchased a SiriusXM subscription, and cannot be bypassed without explicitly pressing the close button. Normal system usage, such as GPS, media settings, or driving settings cannot be done until the advertisements are closed.

Since at least 23-05-25<ref name=":0">{{Cite web |title=Just die already SiriusXM |url=https://www.reddit.com/r/subaru/comments/13rl630/just_die_already_siriusxm/ |archive-url=https://web.archive.org/web/20260222225614/https://old.reddit.com/r/subaru/comments/13rl630/just_die_already_siriusxm/ |archive-date=22 Feb 2026|access-date=2025-11-27 |website=Reddit}}</ref>, Subaru Starlink will sometimes display whole-screen advertisements for [[SiriusXM]] in vehicles with SiriusXM functionality<ref name=":0" />. Advertisements will display regardless of whether the customer purchased a SiriusXM subscription, and cannot be bypassed without explicitly pressing the close button. Normal system usage, such as GPS, media settings, or driving settings cannot be done until the advertisements are closed.

Users are only able to opt-out of this advertising if they have a SiriusXM subscription, which itself will require consent to additional telemetry from SiriusXM<ref>{{Cite web |date=2025-11-27 |title=SiriusXM Help & Support Center |url=https://listenercare.siriusxm.com/prweb/autoredirect/app/ExternalKM/help/SupportCenter/article/KC-383215/How-do-I-manage-pop-up-messages-inside-my-vehicle%3F |url-status=live |archive-url=https://~~archive~~.ph/~~bUInY~~ |archive-date=26 Jan 2026}}</ref>. Alternative recourse would involve manually uninstalling the telematics module or pulling the fuse powering the telematics module to disable connectivity. <ref>{{Cite web |date=2025-11-27 |title=No sound in front speakers / Mic is missing (Something with Starlink plugs?) - Resolved {{!}} Subaru Crosstrek and XV Forums |url=https://www.subaruxvforum.com/threads/no-sound-in-front-speakers-mic-is-missing-something-with-starlink-plugs-resolved.180778/ |archive-url=https://web.archive.org/web/20260126213325/https://www.subaruxvforum.com/threads/no-sound-in-front-speakers-mic-is-missing-something-with-starlink-plugs-resolved.180778/ |archive-date=26 Jan 2026 |access-date=2025-11-27 |website=Subaru Crosstrek and XV Forums}}</ref> However, this can disable front audio speakers on certain models due to the fuse powering both Starlink telematics and the front speakers<ref>{{Cite web |date=2020-03-02 |title=Disconnecting your telematics (Starlink) antenna {{!}} Subaru Outback Forums |url=https://www.subaruoutback.org/threads/disconnecting-your-telematics-starlink-antenna.519259/ |archive-url=https://web.archive.org/web/20230514174802/https://www.subaruoutback.org/threads/disconnecting-your-telematics-starlink-antenna.519259/ |archive-date=14 May 2023 |access-date=2025-11-27 |website=Subaru Outback Forums}}</ref>.

Users are only able to opt-out of this advertising if they have a SiriusXM subscription, which itself will require consent to additional telemetry from SiriusXM<ref>{{Cite web |date=2025-11-27 |title=SiriusXM Help & Support Center |url=https://listenercare.siriusxm.com/prweb/autoredirect/app/ExternalKM/help/SupportCenter/article/KC-383215/How-do-I-manage-pop-up-messages-inside-my-vehicle%3F |url-status=live |archive-url=http://web.archive.org/web/20260126212422/https://listenercare.siriusxm.com/prweb/autoredirect/app/ExternalKM/help/SupportCenter/article/KC-383215/How-do-I-manage-pop-up-messages-inside-my-vehicle%3F |archive-date=26 Jan 2026}}</ref>. Alternative recourse would involve manually uninstalling the telematics module or pulling the fuse powering the telematics module to disable connectivity. <ref>{{Cite web |date=2025-11-27 |title=No sound in front speakers / Mic is missing (Something with Starlink plugs?) - Resolved {{!}} Subaru Crosstrek and XV Forums |url=https://www.subaruxvforum.com/threads/no-sound-in-front-speakers-mic-is-missing-something-with-starlink-plugs-resolved.180778/ |archive-url=https://web.archive.org/web/20260126213325/https://www.subaruxvforum.com/threads/no-sound-in-front-speakers-mic-is-missing-something-with-starlink-plugs-resolved.180778/ |archive-date=26 Jan 2026 |access-date=2025-11-27 |website=Subaru Crosstrek and XV Forums}}</ref> However, this can disable front audio speakers on certain models due to the fuse powering both Starlink telematics and the front speakers<ref>{{Cite web |date=2020-03-02 |title=Disconnecting your telematics (Starlink) antenna {{!}} Subaru Outback Forums |url=https://www.subaruoutback.org/threads/disconnecting-your-telematics-starlink-antenna.519259/ |archive-url=https://web.archive.org/web/20230514174802/https://www.subaruoutback.org/threads/disconnecting-your-telematics-starlink-antenna.519259/ |archive-date=14 May 2023 |access-date=2025-11-27 |website=Subaru Outback Forums}}</ref>.

===Starlink app exploit (''2025'')===

The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with ~~javascript~~ the hacker found an employee email off ~~linkedin~~ and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with ~~javascript~~.

The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with [[JavaScript]] the hacker found an employee email off [[LinkedIn]] and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with JavaScript.

Inside the admin portal any employee can access a wide range of personal information, largely comprised of the personal information listed below. Additionally, if the employee has level 2 access, they can remotely lock, unlock, honk, issue speeding warnings and more which they demonstrated on their own and a friend's Subaru car.

The incident was initially ethically disclosed to Subaru on 24-20-11 with a blog post detailing the exploit released on 25-23-01.<ref>{{Cite web |last=Curry |first=Sam |date=23 Jan 2025 |title=Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel |url=https://samcurry.net/hacking-subaru |archive-url=https://~~archive~~.ph/~~qaOil~~ |archive-date=~~24 Jan~~ 2025 |access-date=2025-02-19 |website=samcurry.net}}</ref>

The incident was initially ethically disclosed to Subaru on 24-20-11 with a blog post detailing the exploit released on 25-23-01.<ref>{{Cite web |last=Curry |first=Sam |date=23 Jan 2025 |title=Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel |url=https://samcurry.net/hacking-subaru |archive-url=http://web.archive.org/web/20251115022030/https://samcurry.net/hacking-subaru |archive-date=15 Nov 2025|access-date=2025-02-19 |website=samcurry.net}}</ref>

==Data collection==

Line 58:

===Third-party data sharing===

Subaru shares data with several entities, including:

*Data brokers, such as LexisNexis<ref name="SubaruPrivacy" /> and Verisk.<ref name="TorqueNews">{{Cite web |last=Flierl |first=Denis |date=21 May 2024 |title=Vehicle Data Collection Lawsuit |url=https://www.torquenews.com/1084/subaru-now-involved-vehicle-data-collection-lawsuit-investigation |archive-url=https://~~archive~~.ph/~~SZDh9~~ |archive-date=~~26 Jan 2026~~ |access-date=2025-01-16 |website=torquenews.com}}</ref><ref name="NYT">{{Cite web |last=Hill |first=Kashmir |date=11 March 2024 |title=Automakers Are Sharing Drivers’ Data |url=https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html |archive-url=https://web.archive.org/web/20240311090514/https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html |archive-date=11 Mar 2024 |access-date=2025-01-16 |website=nytimes.com}}</ref>

*Data brokers, such as LexisNexis<ref name="SubaruPrivacy" /> and Verisk.<ref name="TorqueNews">{{Cite web |last=Flierl |first=Denis |date=21 May 2024 |title=Vehicle Data Collection Lawsuit |url=https://www.torquenews.com/1084/subaru-now-involved-vehicle-data-collection-lawsuit-investigation |archive-url=http://web.archive.org/web/20250801220315/https://www.torquenews.com/1084/subaru-now-involved-vehicle-data-collection-lawsuit-investigation |archive-date=1 Aug 2025|access-date=2025-01-16 |website=torquenews.com}}</ref><ref name="NYT">{{Cite web |last=Hill |first=Kashmir |date=11 March 2024 |title=Automakers Are Sharing Drivers’ Data |url=https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html |archive-url=https://web.archive.org/web/20240311090514/https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html |archive-date=11 Mar 2024 |access-date=2025-01-16 |website=nytimes.com}}</ref>

*Insurance companies for risk assessment and pricing.<ref name="TorqueNews" />

*Marketing firms.

@@ Line 10: / Line 10: @@
 |Website=https://subaru.com/
 }}
-Starlink is a connectivity service equipped on most modern Subaru vehicles, enabling extensive data collection from the vehicle and its occupants. The service has faced significant criticism and legal challenges over privacy concerns related to its data-collection and -sharing practices.<ref name="MozillaReview" />
+Starlink is a connectivity service equipped on most modern [[Subaru]] vehicles, enabling extensive data collection from the vehicle and its occupants. The service has faced significant criticism and legal challenges over privacy concerns related to its data-collection and -sharing practices.<ref name="MozillaReview" />
 ==Incidents==
 ===Obstructive advertising===
-Since at least 23-05-25<ref name=":0">{{Cite web |title=Just die already SiriusXM |url=https://www.reddit.com/r/subaru/comments/13rl630/just_die_already_siriusxm/ |archive-url=https://archive.ph/xzpun |archive-date=26 Jan 2026 |access-date=2025-11-27 |website=Reddit}}</ref>, Subaru Starlink will sometimes display whole-screen advertisements for [[SiriusXM]] in vehicles with SiriusXM functionality<ref name=":0" />. Advertisements will display regardless of whether the customer purchased a SiriusXM subscription, and cannot be bypassed without explicitly pressing the close button. Normal system usage, such as GPS, media settings, or driving settings cannot be done until the advertisements are closed.
+Since at least 23-05-25<ref name=":0">{{Cite web |title=Just die already SiriusXM |url=https://www.reddit.com/r/subaru/comments/13rl630/just_die_already_siriusxm/ |archive-url=https://web.archive.org/web/20260222225614/https://old.reddit.com/r/subaru/comments/13rl630/just_die_already_siriusxm/ |archive-date=22 Feb 2026|access-date=2025-11-27 |website=Reddit}}</ref>, Subaru Starlink will sometimes display whole-screen advertisements for [[SiriusXM]] in vehicles with SiriusXM functionality<ref name=":0" />. Advertisements will display regardless of whether the customer purchased a SiriusXM subscription, and cannot be bypassed without explicitly pressing the close button. Normal system usage, such as GPS, media settings, or driving settings cannot be done until the advertisements are closed.
-Users are only able to opt-out of this advertising if they have a SiriusXM subscription, which itself will require consent to additional telemetry from SiriusXM<ref>{{Cite web |date=2025-11-27 |title=SiriusXM Help & Support Center |url=https://listenercare.siriusxm.com/prweb/autoredirect/app/ExternalKM/help/SupportCenter/article/KC-383215/How-do-I-manage-pop-up-messages-inside-my-vehicle%3F |url-status=live |archive-url=https://archive.ph/bUInY |archive-date=26 Jan 2026}}</ref>. Alternative recourse would involve manually uninstalling the telematics module or pulling the fuse powering the telematics module to disable connectivity. <ref>{{Cite web |date=2025-11-27 |title=No sound in front speakers / Mic is missing (Something with Starlink plugs?) - Resolved {{!}} Subaru Crosstrek and XV Forums |url=https://www.subaruxvforum.com/threads/no-sound-in-front-speakers-mic-is-missing-something-with-starlink-plugs-resolved.180778/ |archive-url=https://web.archive.org/web/20260126213325/https://www.subaruxvforum.com/threads/no-sound-in-front-speakers-mic-is-missing-something-with-starlink-plugs-resolved.180778/ |archive-date=26 Jan 2026 |access-date=2025-11-27 |website=Subaru Crosstrek and XV Forums}}</ref> However, this can disable front audio speakers on certain models due to the fuse powering both Starlink telematics and the front speakers<ref>{{Cite web |date=2020-03-02 |title=Disconnecting your telematics (Starlink) antenna {{!}} Subaru Outback Forums |url=https://www.subaruoutback.org/threads/disconnecting-your-telematics-starlink-antenna.519259/ |archive-url=https://web.archive.org/web/20230514174802/https://www.subaruoutback.org/threads/disconnecting-your-telematics-starlink-antenna.519259/ |archive-date=14 May 2023 |access-date=2025-11-27 |website=Subaru Outback Forums}}</ref>.
+Users are only able to opt-out of this advertising if they have a SiriusXM subscription, which itself will require consent to additional telemetry from SiriusXM<ref>{{Cite web |date=2025-11-27 |title=SiriusXM Help & Support Center |url=https://listenercare.siriusxm.com/prweb/autoredirect/app/ExternalKM/help/SupportCenter/article/KC-383215/How-do-I-manage-pop-up-messages-inside-my-vehicle%3F |url-status=live |archive-url=http://web.archive.org/web/20260126212422/https://listenercare.siriusxm.com/prweb/autoredirect/app/ExternalKM/help/SupportCenter/article/KC-383215/How-do-I-manage-pop-up-messages-inside-my-vehicle%3F |archive-date=26 Jan 2026}}</ref>. Alternative recourse would involve manually uninstalling the telematics module or pulling the fuse powering the telematics module to disable connectivity. <ref>{{Cite web |date=2025-11-27 |title=No sound in front speakers / Mic is missing (Something with Starlink plugs?) - Resolved {{!}} Subaru Crosstrek and XV Forums |url=https://www.subaruxvforum.com/threads/no-sound-in-front-speakers-mic-is-missing-something-with-starlink-plugs-resolved.180778/ |archive-url=https://web.archive.org/web/20260126213325/https://www.subaruxvforum.com/threads/no-sound-in-front-speakers-mic-is-missing-something-with-starlink-plugs-resolved.180778/ |archive-date=26 Jan 2026 |access-date=2025-11-27 |website=Subaru Crosstrek and XV Forums}}</ref> However, this can disable front audio speakers on certain models due to the fuse powering both Starlink telematics and the front speakers<ref>{{Cite web |date=2020-03-02 |title=Disconnecting your telematics (Starlink) antenna {{!}} Subaru Outback Forums |url=https://www.subaruoutback.org/threads/disconnecting-your-telematics-starlink-antenna.519259/ |archive-url=https://web.archive.org/web/20230514174802/https://www.subaruoutback.org/threads/disconnecting-your-telematics-starlink-antenna.519259/ |archive-date=14 May 2023 |access-date=2025-11-27 |website=Subaru Outback Forums}}</ref>.
 ===Starlink app exploit (''2025'')===
-The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with javascript the hacker found an employee email off linkedin and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with javascript.
+The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with [[JavaScript]] the hacker found an employee email off [[LinkedIn]] and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with JavaScript.
 Inside the admin portal any employee can access a wide range of personal information, largely comprised of the personal information listed below. Additionally, if the employee has level 2 access, they can remotely lock, unlock, honk, issue speeding warnings and more which they demonstrated on their own and a friend's Subaru car.
-The incident was initially ethically disclosed to Subaru on 24-20-11 with a blog post detailing the exploit released on 25-23-01.<ref>{{Cite web |last=Curry |first=Sam |date=23 Jan 2025 |title=Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel |url=https://samcurry.net/hacking-subaru |archive-url=https://archive.ph/qaOil |archive-date=24 Jan 2025 |access-date=2025-02-19 |website=samcurry.net}}</ref>
+The incident was initially ethically disclosed to Subaru on 24-20-11 with a blog post detailing the exploit released on 25-23-01.<ref>{{Cite web |last=Curry |first=Sam |date=23 Jan 2025 |title=Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel |url=https://samcurry.net/hacking-subaru |archive-url=http://web.archive.org/web/20251115022030/https://samcurry.net/hacking-subaru |archive-date=15 Nov 2025|access-date=2025-02-19 |website=samcurry.net}}</ref>
 ==Data collection==
@@ Line 58: / Line 58: @@
 ===Third-party data sharing===
 Subaru shares data with several entities, including:
-*Data brokers, such as LexisNexis<ref name="SubaruPrivacy" /> and Verisk.<ref name="TorqueNews">{{Cite web |last=Flierl |first=Denis |date=21 May 2024 |title=Vehicle Data Collection Lawsuit |url=https://www.torquenews.com/1084/subaru-now-involved-vehicle-data-collection-lawsuit-investigation |archive-url=https://archive.ph/SZDh9 |archive-date=26 Jan 2026 |access-date=2025-01-16 |website=torquenews.com}}</ref><ref name="NYT">{{Cite web |last=Hill |first=Kashmir |date=11 March 2024 |title=Automakers Are Sharing Drivers’ Data |url=https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html |archive-url=https://web.archive.org/web/20240311090514/https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html |archive-date=11 Mar 2024 |access-date=2025-01-16 |website=nytimes.com}}</ref>
+*Data brokers, such as LexisNexis<ref name="SubaruPrivacy" /> and Verisk.<ref name="TorqueNews">{{Cite web |last=Flierl |first=Denis |date=21 May 2024 |title=Vehicle Data Collection Lawsuit |url=https://www.torquenews.com/1084/subaru-now-involved-vehicle-data-collection-lawsuit-investigation |archive-url=http://web.archive.org/web/20250801220315/https://www.torquenews.com/1084/subaru-now-involved-vehicle-data-collection-lawsuit-investigation |archive-date=1 Aug 2025|access-date=2025-01-16 |website=torquenews.com}}</ref><ref name="NYT">{{Cite web |last=Hill |first=Kashmir |date=11 March 2024 |title=Automakers Are Sharing Drivers’ Data |url=https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html |archive-url=https://web.archive.org/web/20240311090514/https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html |archive-date=11 Mar 2024 |access-date=2025-01-16 |website=nytimes.com}}</ref>
 *Insurance companies for risk assessment and pricing.<ref name="TorqueNews" />
 *Marketing firms.