Subaru Starlink: Difference between revisions

(12 intermediate revisions by 9 users not shown)

Line 1:

~~Starlink is a connectivity service equipped on most modern Subaru vehicles. Publicly available information states~~ Subaru ~~may use~~ Starlink ~~to collect vehicle occupant name, address, VIN, vehicle telemetry, speed and location information, and audio recordings from inside the onboard microphone~~. ~~Newest~~ Subaru ~~vehicles with driver attention monitoring programs may also collect biometric data~~.

{{InfoboxProductLine

| Title = Subaru Starlink

| Release Year = 2013

| Product Type = Software

| In Production = Yes

| Official Website = https://subaru.com/

| Logo = Subaru-starlink.png

}}

~~In addition to the data being collected and available to~~ Subaru, ~~research suggests Subaru sells this~~ data ~~to data brokers, including LexisNexis~~. ~~LexisNexis purchases data packages with data tied to driver identity, which they then sell~~ to ~~insurance companies, who may use the~~ data ~~to modify consumer rates~~.

==Overview==

Starlink is a connectivity service equipped on most modern Subaru vehicles, enabling extensive data collection from the vehicle and its occupants. The service has faced significant criticism and legal challenges over privacy concerns related to its data-collection and -sharing practices.<ref name="MozillaReview" />

==Incident==

The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with javascript the hacker found an employee email off linkedin and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with javascript.

~~The process~~ to ~~opt-out~~ of ~~data sharing is difficult to locate online and requires a vehicle owner to submit a variety~~ of personal information. ~~Followup from Subaru on opt-out submissions also takes months~~, ~~after~~ which a ~~consumer has a hard time knowing for certain if data collection is continuing or not, as the vehicle continues to be capable of resuming collection at any time~~.

Inside the admin portal any employee had access to a range of personal information, largely comprised of the personal information listed below. Additionally the employee the hacker had login as had level 2 access allowing them to remotely lock, unlock, honk, issue speeding warnings and more which they demonstrated on their own and a friend's Subaru car.

The incident was initially ethically disclosed to Subaru on 24-20-11 with a blog post detailing the exploit released on 25-23-01.<ref>{{Cite web |last=Curry |first=Sam |date=23 Jan 2025 |title=Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel |url=https://samcurry.net/hacking-subaru |access-date=2025-02-19 |website=samcurry.net}}</ref>

~~Sources~~:

==Data collection==

===Types of data collected===

Subaru’s privacy policy and STARLINK terms of service specify that the following data may be collected:<ref name="SubaruPrivacy">{{Cite web |date= |title=Subaru Privacy Policy |url=https://www.subaru.com/support/privacy-policies.html |access-date=2025-01-16 |website=subaru.com}}</ref>

~~https://foundation~~.~~mozilla~~.~~org/en/privacynotincluded/subaru/~~

*'''Personal information'''

**Names, addresses, and contact details.

**Phone numbers and email addresses.

**Social-security numbers (in specific cases).

**Driver's license numbers.

**Vehicle identification numbers (VIN).

*'''Vehicle data'''

**Location and GPS coordinates.

**Speed, acceleration, and braking patterns.

**Time and duration of trips.

**Maintenance and diagnostic information.

**Sensor data, such as crash severity, tire pressure, and coolant temperature.

*'''Audio and biometric data'''

**Audio recordings through onboard microphones.

**Voice data from STARLINK service-center calls.

**Biometric data from systems that driver attention.

**Search content and commands issued by occupants.

https://~~www~~.~~nytimes~~.~~com~~/~~2024~~/03/11/~~technology/carmakers~~-~~driver~~-tracking-~~insurance~~.~~html~~

===Collection methods===

Data collection is performed through:

*Vehicle sensors and diagnostic modules.<ref name="MozillaReview">{{Cite web |last=Mozilla Research |first= |date=15 Aug 2023 |title=Mozilla Foundation Privacy Review: Subaru |url=https://foundation.mozilla.org/en/privacynotincluded/subaru/ |access-date=2025-01-16 |website=foundation.mozilla.org}}</ref>

*GPS tracking systems.

*Cellular-connectivity modules.

*STARLINK mobile apps and web portals.<ref name="MozillaReview" />

https://www.~~subaruoutback~~.~~org~~/~~threads~~/~~forced~~-~~lack~~-of-~~privacy~~-~~with~~-~~starlink~~-~~and~~-~~constant~~-tracking-of-~~your~~-~~car~~-~~with~~-no-~~opt-out~~.~~569216~~/

==Data sharing and sales==

===Third-party data sharing===

Subaru shares data with several entities, including:

*Data brokers, such as LexisNexis<ref name="SubaruPrivacy" /> and Verisk.<ref name="TorqueNews">{{Cite web |last=Flierl |first=Denis |date=21 May 2024 |title=Vehicle Data Collection Lawsuit |url=https://www.torquenews.com/1084/subaru-now-involved-vehicle-data-collection-lawsuit-investigation |access-date=2025-01-16 |website=torquenews.com}}</ref><ref name="NYT">{{Cite web |last=Hill |first=Kashmir |date=11 March 2024 |title=Automakers Are Sharing Drivers’ Data |url=https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html |access-date=2025-01-16 |website=nytimes.com}}</ref>

*Insurance companies for risk assessment and pricing.<ref name="TorqueNews" />

*Marketing firms.

*Emergency services and law enforcement (when required by law).

*Subaru dealerships and distributors.

*Third-party service providers.<ref name="SubaruPrivacy" />

===Insurance-industry usage===

Data brokers aggregate and sell this information to insurance companies, who may:

*Increase insurance premiums based on driving patterns.

*Monitor driving behaviors to assess risk.

*Use driving data for personalized coverage offerings.<ref name="NYT" />

~~https~~:/~~/www.subaru~~.~~com/support/terms-and-conditions/subaru-starlink/subaru-starlink~~-~~services~~.~~html~~

==Privacy concerns==

===Consent issues===

Key concerns include:

*Simply being a passenger in a STARLINK-equipped vehicle constitutes consent.<ref name="MozillaReview" />

*Lack of active notification during data collection.

*Limited opt-out options that might impact vehicle functionality.

https://www.~~torquenews~~.~~com~~/~~1084~~/subaru-~~now~~-~~involved~~-~~vehicle~~-~~data~~-~~collection~~-~~lawsuit~~-~~investigation~~

===Difficulties in opting out===

Subaru’s opt-out process involves:

*Submitting detailed personal information.

*Potentially long response times.

*No verification mechanism for successful opt-out.<ref name="ConsumerForum">{{Cite web |date=26 Jan 2025 |title=Privacy Report Discussion |url=https://www.subaruoutback.org/threads/privacy-not-included-subaru-report-connected-services-etc.556583/ |access-date=2025-01-16 |website=subaruoutback.org}}</ref>

https://www.~~subaruoutback~~.~~org~~/~~threads~~/~~privacy~~-~~not~~-~~included~~-subaru-~~report~~-connected-services~~-etc~~.~~556583~~/

===Legal challenges===

Subaru faces legal scrutiny for:

*Allegations of insufficiently disclosing its data-collection policies what it does with data.

*Potential non-compliance with privacy laws.

*[[Class-action lawsuit]] investigations over consent practices.<ref name="TorqueNews" />

==Technical details==

===System architecture===

STARLINK is built upon:

*Embedded telematics devices.

*4G LTE cellular networks.

*GPS receivers and cloud-based data-processing systems.<ref name="StarlinkTerms">{{Cite web |title=Subaru STARLINK Terms and Conditions |url=https://www.subaru.com/support/terms-and-conditions/subaru-starlink/subaru-starlink-services.html |access-date=2025-01-16 |website=subaru.com}}</ref>

===Data transmission===

*Real-time data transmission through LTE networks.

*Local storage when connectivity is unavailable.<ref name="StarlinkTerms" />

==Consumer-protection issues==

===Privacy rights===

Critics cite:

*Minimal control over data retention.

*Broad sharing permissions in privacy policies.

*Limited transparency about how data is used.<ref name="MozillaReview" />

===Economic harm===

*Insurance-rate adjustments based on driving data.

*Subscription fees for connected services.

*Potential effects on vehicle resale value.<ref name="NYT" />

==References==

[[Category:Automotive privacy]]

[[Category:Data collection]]

[[Category:Consumer rights]]

@@ Line 1: / Line 1: @@
-Starlink is a connectivity service equipped on most modern Subaru vehicles.  Publicly available information states Subaru may use Starlink to collect vehicle occupant name, address, VIN, vehicle telemetry, speed and location information, and audio recordings from inside the onboard microphone.  Newest Subaru vehicles with driver attention monitoring programs may also collect biometric data.
+{{InfoboxProductLine
+| Title = Subaru Starlink
+| Release Year = 2013
+| Product Type = Software
+| In Production = Yes
+| Official Website = https://subaru.com/
+| Logo = Subaru-starlink.png
+}}
-In addition to the data being collected and available to Subaru, research suggests Subaru sells this data to data brokers, including LexisNexis. LexisNexis purchases data packages with data tied to driver identity, which they then sell to insurance companies, who may use the data to modify consumer rates.
+==Overview==
+Starlink is a connectivity service equipped on most modern Subaru vehicles, enabling extensive data collection from the vehicle and its occupants. The service has faced significant criticism and legal challenges over privacy concerns related to its data-collection and -sharing practices.<ref name="MozillaReview" />
+==Incident==
+The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with javascript the hacker found an employee email off linkedin and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with javascript.
-The process to opt-out of data sharing is difficult to locate online and requires a vehicle owner to submit a variety of personal information.  Followup from Subaru on opt-out submissions also takes months, after which a consumer has a hard time knowing for certain if data collection is continuing or not, as the vehicle continues to be capable of resuming collection at any time.
+Inside the admin portal any employee had access to a range of personal information, largely comprised of the personal information listed below. Additionally the employee the hacker had login as had level 2 access allowing them to remotely lock, unlock, honk, issue speeding warnings and more which they demonstrated on their own and a friend's Subaru car.
+The incident was initially ethically disclosed to Subaru on 24-20-11 with a blog post detailing the exploit released on 25-23-01.<ref>{{Cite web |last=Curry |first=Sam |date=23 Jan 2025 |title=Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel |url=https://samcurry.net/hacking-subaru |access-date=2025-02-19 |website=samcurry.net}}</ref>
-Sources:
+==Data collection==
+===Types of data collected===
+Subaru’s privacy policy and STARLINK terms of service specify that the following data may be collected:<ref name="SubaruPrivacy">{{Cite web |date= |title=Subaru Privacy Policy |url=https://www.subaru.com/support/privacy-policies.html |access-date=2025-01-16 |website=subaru.com}}</ref>
-https://foundation.mozilla.org/en/privacynotincluded/subaru/
+*'''Personal information'''
+**Names, addresses, and contact details.
+**Phone numbers and email addresses.
+**Social-security numbers (in specific cases).
+**Driver's license numbers.
+**Vehicle identification numbers (VIN).
+*'''Vehicle data'''
+**Location and GPS coordinates.
+**Speed, acceleration, and braking patterns.
+**Time and duration of trips.
+**Maintenance and diagnostic information.
+**Sensor data, such as crash severity, tire pressure, and coolant temperature.
+*'''Audio and biometric data'''
+**Audio recordings through onboard microphones.
+**Voice data from STARLINK service-center calls.
+**Biometric data from systems that driver attention.
+**Search content and commands issued by occupants.
-https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html
+===Collection methods===
+Data collection is performed through:
+*Vehicle sensors and diagnostic modules.<ref name="MozillaReview">{{Cite web |last=Mozilla Research |first= |date=15 Aug 2023 |title=Mozilla Foundation Privacy Review: Subaru |url=https://foundation.mozilla.org/en/privacynotincluded/subaru/ |access-date=2025-01-16 |website=foundation.mozilla.org}}</ref>
+*GPS tracking systems.
+*Cellular-connectivity modules.
+*STARLINK mobile apps and web portals.<ref name="MozillaReview" />
-https://www.subaruoutback.org/threads/forced-lack-of-privacy-with-starlink-and-constant-tracking-of-your-car-with-no-opt-out.569216/
+==Data sharing and sales==
+===Third-party data sharing===
+Subaru shares data with several entities, including:
+*Data brokers, such as LexisNexis<ref name="SubaruPrivacy" /> and Verisk.<ref name="TorqueNews">{{Cite web |last=Flierl |first=Denis |date=21 May 2024 |title=Vehicle Data Collection Lawsuit |url=https://www.torquenews.com/1084/subaru-now-involved-vehicle-data-collection-lawsuit-investigation |access-date=2025-01-16 |website=torquenews.com}}</ref><ref name="NYT">{{Cite web |last=Hill |first=Kashmir |date=11 March 2024 |title=Automakers Are Sharing Drivers’ Data |url=https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html |access-date=2025-01-16 |website=nytimes.com}}</ref>
+*Insurance companies for risk assessment and pricing.<ref name="TorqueNews" />
+*Marketing firms.
+*Emergency services and law enforcement (when required by law).
+*Subaru dealerships and distributors.
+*Third-party service providers.<ref name="SubaruPrivacy" />
+===Insurance-industry usage===
+Data brokers aggregate and sell this information to insurance companies, who may:
+*Increase insurance premiums based on driving patterns.
+*Monitor driving behaviors to assess risk.
+*Use driving data for personalized coverage offerings.<ref name="NYT" />
-https://www.subaru.com/support/terms-and-conditions/subaru-starlink/subaru-starlink-services.html
+==Privacy concerns==
+===Consent issues===
+Key concerns include:
+*Simply being a passenger in a STARLINK-equipped vehicle constitutes consent.<ref name="MozillaReview" />
+*Lack of active notification during data collection.
+*Limited opt-out options that might impact vehicle functionality.
-https://www.torquenews.com/1084/subaru-now-involved-vehicle-data-collection-lawsuit-investigation
+===Difficulties in opting out===
+Subaru’s opt-out process involves:
+*Submitting detailed personal information.
+*Potentially long response times.
+*No verification mechanism for successful opt-out.<ref name="ConsumerForum">{{Cite web |date=26 Jan 2025 |title=Privacy Report Discussion |url=https://www.subaruoutback.org/threads/privacy-not-included-subaru-report-connected-services-etc.556583/ |access-date=2025-01-16 |website=subaruoutback.org}}</ref>
-https://www.subaruoutback.org/threads/privacy-not-included-subaru-report-connected-services-etc.556583/
+===Legal challenges===
+Subaru faces legal scrutiny for:
+*Allegations of insufficiently disclosing its data-collection policies what it does with data.
+*Potential non-compliance with privacy laws.
+*[[Class-action lawsuit]] investigations over consent practices.<ref name="TorqueNews" />
+==Technical details==
+===System architecture===
+STARLINK is built upon:
+*Embedded telematics devices.
+*4G LTE cellular networks.
+*GPS receivers and cloud-based data-processing systems.<ref name="StarlinkTerms">{{Cite web |title=Subaru STARLINK Terms and Conditions |url=https://www.subaru.com/support/terms-and-conditions/subaru-starlink/subaru-starlink-services.html |access-date=2025-01-16 |website=subaru.com}}</ref>
+===Data transmission===
+*Real-time data transmission through LTE networks.
+*Local storage when connectivity is unavailable.<ref name="StarlinkTerms" />
+==Consumer-protection issues==
+===Privacy rights===
+Critics cite:
+*Minimal control over data retention.
+*Broad sharing permissions in privacy policies.
+*Limited transparency about how data is used.<ref name="MozillaReview" />
+===Economic harm===
+*Insurance-rate adjustments based on driving data.
+*Subscription fees for connected services.
+*Potential effects on vehicle resale value.<ref name="NYT" />
+==References==
+<references />
+[[Category:Automotive privacy]]
+[[Category:Data collection]]
+[[Category:Consumer rights]]