Subaru Starlink: Difference between revisions

(2 intermediate revisions by 2 users not shown)

Line 10:

==Overview==

Starlink is a connectivity service equipped on most modern Subaru vehicles, enabling extensive data collection from the vehicle and its occupants. The service has faced significant criticism and legal challenges over privacy concerns related to its data-collection and -sharing practices.<ref name="MozillaReview" />

==Incident==

The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with javascript the hacker found an employee email off linkedin and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with javascript.

Inside the admin portal any employee had access to a range of personal information, largely comprised of the personal information listed below. Additionally the employee the hacker had login as had level 2 access allowing them to remotely lock, unlock, honk, issue speeding warnings and more which they demonstrated on their own and a friend's Subaru car.

The incident was initially ethically disclosed to Subaru on 24-20-11 with a blog post detailing the exploit released on 25-23-01.<ref>{{Cite web |last=Curry |first=Sam |date=23 Jan 2025 |title=Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel |url=https://samcurry.net/hacking-subaru |access-date=2025-02-19 |website=samcurry.net}}</ref>

==Data collection==

===Types of data collected===

Subaru’s privacy policy and STARLINK terms of service specify that the following data may be collected:<ref name="SubaruPrivacy">[https://www.subaru.com/support/privacy-policies.html ~~Subaru Privacy Policy]~~ - ~~subaru.com - accessed~~ 2025-01-16</ref>

Subaru’s privacy policy and STARLINK terms of service specify that the following data may be collected:<ref name="SubaruPrivacy">{{Cite web |date= |title=Subaru Privacy Policy |url=https://www.subaru.com/support/privacy-policies.html |access-date=2025-01-16 |website=subaru.com}}</ref>

*'''Personal information'''

Line 35:

Line 42:

===Collection methods===

Data collection is performed through:

*Vehicle sensors and diagnostic modules.<ref name="MozillaReview">[https://foundation.mozilla.org/en/privacynotincluded/subaru/ ~~"Mozilla Foundation Privacy Review: Subaru"]~~ - foundation.mozilla.org ~~- accessed 2025-01-16~~</ref>

*Vehicle sensors and diagnostic modules.<ref name="MozillaReview">{{Cite web |last=Mozilla Research |first= |date=15 Aug 2023 |title=Mozilla Foundation Privacy Review: Subaru |url=https://foundation.mozilla.org/en/privacynotincluded/subaru/ |access-date=2025-01-16 |website=foundation.mozilla.org}}</ref>

*GPS tracking systems.

*Cellular-connectivity modules.

Line 43:

Line 50:

===Third-party data sharing===

Subaru shares data with several entities, including:

*Data brokers, such as LexisNexis<ref name="SubaruPrivacy" /> and Verisk.<ref name="TorqueNews">[https://www.torquenews.com/1084/subaru-now-involved-vehicle-data-collection-lawsuit-investigation ~~"Vehicle Data Collection Lawsuit"]~~ - ~~torquenews.com - accessed~~ 2025-01-16</ref><ref name="NYT">[https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html ~~"Automakers Are Sharing Drivers’ Data"]~~- ~~nytimes.com - accessed~~ 2025-01-16</ref>

*Data brokers, such as LexisNexis<ref name="SubaruPrivacy" /> and Verisk.<ref name="TorqueNews">{{Cite web |last=Flierl |first=Denis |date=21 May 2024 |title=Vehicle Data Collection Lawsuit |url=https://www.torquenews.com/1084/subaru-now-involved-vehicle-data-collection-lawsuit-investigation |access-date=2025-01-16 |website=torquenews.com}}</ref><ref name="NYT">{{Cite web |last=Hill |first=Kashmir |date=11 March 2024 |title=Automakers Are Sharing Drivers’ Data |url=https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html |access-date=2025-01-16 |website=nytimes.com}}</ref>

*Insurance companies for risk assessment and pricing.<ref name="TorqueNews" />

*Marketing firms.

Line 66:

Line 73:

*Submitting detailed personal information.

*Potentially long response times.

*No verification mechanism for successful opt-out.<ref name="ConsumerForum">[https://www.subaruoutback.org/threads/privacy-not-included-subaru-report-connected-services-etc.556583/ ~~"Privacy Report Discussion"] - subaruoutback.org~~ - ~~accessed~~ 2025-01-16</ref>

*No verification mechanism for successful opt-out.<ref name="ConsumerForum">{{Cite web |date=26 Jan 2025 |title=Privacy Report Discussion |url=https://www.subaruoutback.org/threads/privacy-not-included-subaru-report-connected-services-etc.556583/ |access-date=2025-01-16 |website=subaruoutback.org}}</ref>

===Legal challenges===

Line 79:

Line 86:

*Embedded telematics devices.

*4G LTE cellular networks.

*GPS receivers and cloud-based data-processing systems.<ref name="StarlinkTerms">[https://www.subaru.com/support/terms-and-conditions/subaru-starlink/subaru-starlink-services.html ~~"Subaru STARLINK Terms and Conditions"] - subaru.com~~ - ~~accessed~~ 2025-01-16</ref>

*GPS receivers and cloud-based data-processing systems.<ref name="StarlinkTerms">{{Cite web |title=Subaru STARLINK Terms and Conditions |url=https://www.subaru.com/support/terms-and-conditions/subaru-starlink/subaru-starlink-services.html |access-date=2025-01-16 |website=subaru.com}}</ref>

===Data transmission===

Line 101:

Line 108:

[[Category:Automotive privacy]]

[[Category:Data ~~Collection~~]]

[[Category:Data collection]]

[[Category:Consumer rights]]

@@ Line 10: / Line 10: @@
 ==Overview==
 Starlink is a connectivity service equipped on most modern Subaru vehicles, enabling extensive data collection from the vehicle and its occupants. The service has faced significant criticism and legal challenges over privacy concerns related to its data-collection and -sharing practices.<ref name="MozillaReview" />
+==Incident==
+The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with javascript the hacker found an employee email off linkedin and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with javascript.
+Inside the admin portal any employee had access to a range of personal information, largely comprised of the personal information listed below. Additionally the employee the hacker had login as had level 2 access allowing them to remotely lock, unlock, honk, issue speeding warnings and more which they demonstrated on their own and a friend's Subaru car.
+The incident was initially ethically disclosed to Subaru on 24-20-11 with a blog post detailing the exploit released on 25-23-01.<ref>{{Cite web |last=Curry |first=Sam |date=23 Jan 2025 |title=Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel |url=https://samcurry.net/hacking-subaru |access-date=2025-02-19 |website=samcurry.net}}</ref>
 ==Data collection==
 ===Types of data collected===
-Subaru’s privacy policy and STARLINK terms of service specify that the following data may be collected:<ref name="SubaruPrivacy">[https://www.subaru.com/support/privacy-policies.html Subaru Privacy Policy] - subaru.com - accessed 2025-01-16</ref>
+Subaru’s privacy policy and STARLINK terms of service specify that the following data may be collected:<ref name="SubaruPrivacy">{{Cite web |date= |title=Subaru Privacy Policy |url=https://www.subaru.com/support/privacy-policies.html |access-date=2025-01-16 |website=subaru.com}}</ref>
 *'''Personal information'''
@@ Line 35: / Line 42: @@
 ===Collection methods===
 Data collection is performed through:
-*Vehicle sensors and diagnostic modules.<ref name="MozillaReview">[https://foundation.mozilla.org/en/privacynotincluded/subaru/ "Mozilla Foundation Privacy Review: Subaru"] - foundation.mozilla.org - accessed 2025-01-16</ref>
+*Vehicle sensors and diagnostic modules.<ref name="MozillaReview">{{Cite web |last=Mozilla Research |first= |date=15 Aug 2023 |title=Mozilla Foundation Privacy Review: Subaru |url=https://foundation.mozilla.org/en/privacynotincluded/subaru/ |access-date=2025-01-16 |website=foundation.mozilla.org}}</ref>
 *GPS tracking systems.
 *Cellular-connectivity modules.
@@ Line 43: / Line 50: @@
 ===Third-party data sharing===
 Subaru shares data with several entities, including:
-*Data brokers, such as LexisNexis<ref name="SubaruPrivacy" /> and Verisk.<ref name="TorqueNews">[https://www.torquenews.com/1084/subaru-now-involved-vehicle-data-collection-lawsuit-investigation "Vehicle Data Collection Lawsuit"] - torquenews.com - accessed 2025-01-16</ref><ref name="NYT">[https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html "Automakers Are Sharing Drivers’ Data"]-  nytimes.com - accessed 2025-01-16</ref>
+*Data brokers, such as LexisNexis<ref name="SubaruPrivacy" /> and Verisk.<ref name="TorqueNews">{{Cite web |last=Flierl |first=Denis |date=21 May 2024 |title=Vehicle Data Collection Lawsuit |url=https://www.torquenews.com/1084/subaru-now-involved-vehicle-data-collection-lawsuit-investigation |access-date=2025-01-16 |website=torquenews.com}}</ref><ref name="NYT">{{Cite web |last=Hill |first=Kashmir |date=11 March 2024 |title=Automakers Are Sharing Drivers’ Data |url=https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html |access-date=2025-01-16 |website=nytimes.com}}</ref>
 *Insurance companies for risk assessment and pricing.<ref name="TorqueNews" />
 *Marketing firms.
@@ Line 66: / Line 73: @@
 *Submitting detailed personal information.
 *Potentially long response times.
-*No verification mechanism for successful opt-out.<ref name="ConsumerForum">[https://www.subaruoutback.org/threads/privacy-not-included-subaru-report-connected-services-etc.556583/ "Privacy Report Discussion"] - subaruoutback.org - accessed 2025-01-16</ref>
+*No verification mechanism for successful opt-out.<ref name="ConsumerForum">{{Cite web |date=26 Jan 2025 |title=Privacy Report Discussion |url=https://www.subaruoutback.org/threads/privacy-not-included-subaru-report-connected-services-etc.556583/ |access-date=2025-01-16 |website=subaruoutback.org}}</ref>
 ===Legal challenges===
@@ Line 79: / Line 86: @@
 *Embedded telematics devices.
 *4G LTE cellular networks.
-*GPS receivers and cloud-based data-processing systems.<ref name="StarlinkTerms">[https://www.subaru.com/support/terms-and-conditions/subaru-starlink/subaru-starlink-services.html "Subaru STARLINK Terms and Conditions"] - subaru.com - accessed 2025-01-16</ref>
+*GPS receivers and cloud-based data-processing systems.<ref name="StarlinkTerms">{{Cite web |title=Subaru STARLINK Terms and Conditions |url=https://www.subaru.com/support/terms-and-conditions/subaru-starlink/subaru-starlink-services.html |access-date=2025-01-16 |website=subaru.com}}</ref>
 ===Data transmission===
@@ Line 101: / Line 108: @@
 [[Category:Automotive privacy]]
-[[Category:Data Collection]]
+[[Category:Data collection]]
 [[Category:Consumer rights]]