Subaru Starlink: Difference between revisions

(3 intermediate revisions by 2 users not shown)

Line 1:

{{Cleanup|Issue 1=Citations should be placed after punctuation.|Issue 2=Article needs to follow the format as provided in [[Template:ProductLinePreload]].}}

''For the satellite {{wplink|internet service provider}}, see [[Starlink]].''

{{ProductLineCargo

Line 10:

Line 11:

|Website=https://subaru.com/

}}

Starlink is a connectivity service equipped on most modern Subaru vehicles, enabling extensive data collection from the vehicle and its occupants. The service has faced significant criticism and legal challenges over privacy concerns related to its data-collection and -sharing practices.<ref name="MozillaReview" />

Starlink is a connectivity service equipped on most modern [[Subaru]] vehicles, enabling extensive data collection from the vehicle and its occupants. The service has faced significant criticism and legal challenges over privacy concerns related to its data-collection and -sharing practices.<ref name="MozillaReview" />

==Incidents==

Line 20:

Line 21:

===Starlink app exploit (''2025'')===

The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with ~~javascript~~ the hacker found an employee email off ~~linkedin~~ and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with ~~javascript~~.

The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with [[JavaScript]] the hacker found an employee email off [[LinkedIn]] and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with JavaScript.

Inside the admin portal any employee can access a wide range of personal information, largely comprised of the personal information listed below. Additionally, if the employee has level 2 access, they can remotely lock, unlock, honk, issue speeding warnings and more which they demonstrated on their own and a friend's Subaru car.

Line 28:

Line 29:

==Data collection==

===Types of data collected===

~~Subaru’s~~ privacy policy and STARLINK terms of service specify that the following data may be collected:<ref name="SubaruPrivacy">{{Cite web |date= |title=Subaru Privacy Policy |url=https://www.subaru.com/support/privacy-policies.html |archive-url=https://web.archive.org/web/20250221075725/https://www.subaru.com/support/privacy-policies.html |archive-date=21 Feb 2025 |access-date=2025-01-16 |website=subaru.com}}</ref>

Subaru's privacy policy and STARLINK terms of service specify that the following data may be collected:<ref name="SubaruPrivacy">{{Cite web |date= |title=Subaru Privacy Policy |url=https://www.subaru.com/support/privacy-policies.html |archive-url=https://web.archive.org/web/20250221075725/https://www.subaru.com/support/privacy-policies.html |archive-date=21 Feb 2025 |access-date=2025-01-16 |website=subaru.com}}</ref>

*'''Personal information'''

Line 87:

Line 88:

*Allegations of insufficiently disclosing its data-collection policies what it does with data.

*Potential non-compliance with privacy laws.

*[[Class-action lawsuit]] investigations over consent practices.<ref name="TorqueNews" />

*{{Wplink|Class action}} lawsuit investigations over consent practices.<ref name="TorqueNews" />

==Technical details==

Line 113:

Line 114:

==References==

~~<references />~~

[[Category:{{PAGENAME}}]]

@@ Line 1: / Line 1: @@
+{{Cleanup|Issue 1=Citations should be placed after punctuation.|Issue 2=Article needs to follow the format as provided in [[Template:ProductLinePreload]].}}
 ''For the satellite {{wplink|internet service provider}}, see [[Starlink]].''
 {{ProductLineCargo
@@ Line 10: / Line 11: @@
 |Website=https://subaru.com/
 }}
-Starlink is a connectivity service equipped on most modern Subaru vehicles, enabling extensive data collection from the vehicle and its occupants. The service has faced significant criticism and legal challenges over privacy concerns related to its data-collection and -sharing practices.<ref name="MozillaReview" />
+Starlink is a connectivity service equipped on most modern [[Subaru]] vehicles, enabling extensive data collection from the vehicle and its occupants. The service has faced significant criticism and legal challenges over privacy concerns related to its data-collection and -sharing practices.<ref name="MozillaReview" />
 ==Incidents==
@@ Line 20: / Line 21: @@
 ===Starlink app exploit (''2025'')===
-The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with javascript the hacker found an employee email off linkedin and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with javascript.
+The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with [[JavaScript]] the hacker found an employee email off [[LinkedIn]] and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with JavaScript.
 Inside the admin portal any employee can access a wide range of personal information, largely comprised of the personal information listed below. Additionally, if the employee has level 2 access, they can remotely lock, unlock, honk, issue speeding warnings and more which they demonstrated on their own and a friend's Subaru car.
@@ Line 28: / Line 29: @@
 ==Data collection==
 ===Types of data collected===
-Subaru’s privacy policy and STARLINK terms of service specify that the following data may be collected:<ref name="SubaruPrivacy">{{Cite web |date= |title=Subaru Privacy Policy |url=https://www.subaru.com/support/privacy-policies.html |archive-url=https://web.archive.org/web/20250221075725/https://www.subaru.com/support/privacy-policies.html |archive-date=21 Feb 2025 |access-date=2025-01-16 |website=subaru.com}}</ref>
+Subaru's privacy policy and STARLINK terms of service specify that the following data may be collected:<ref name="SubaruPrivacy">{{Cite web |date= |title=Subaru Privacy Policy |url=https://www.subaru.com/support/privacy-policies.html |archive-url=https://web.archive.org/web/20250221075725/https://www.subaru.com/support/privacy-policies.html |archive-date=21 Feb 2025 |access-date=2025-01-16 |website=subaru.com}}</ref>
 *'''Personal information'''
@@ Line 87: / Line 88: @@
 *Allegations of insufficiently disclosing its data-collection policies what it does with data.
 *Potential non-compliance with privacy laws.
-*[[Class-action lawsuit]] investigations over consent practices.<ref name="TorqueNews" />
+*{{Wplink|Class action}} lawsuit investigations over consent practices.<ref name="TorqueNews" />
 ==Technical details==
@@ Line 113: / Line 114: @@
 ==References==
-<references />
+{{Reflist}}
 [[Category:{{PAGENAME}}]]