Subaru left behind a gaping security flaw that, even when patched, exposes more privacy issues in modern vehicles. Security researchers Sam Curry and Shubham Shah reported their findings (through Wired) about an easily hacked employee web portal. After gaining access, they were able to remotely control a test car and view a year’s worth of location data. They warn that Subaru is far from alone in having lax security around vehicle data.

After security analysts notified Subaru, the company quickly patched the exploit. Fortunately, researchers say less ethical hackers haven’t gotten away with it in the past. But they say authorized Subaru employees can still access the location history of owners with only one piece of the following information: owner’s last name, zip code, email address, number phone or license plate.

Engadget has emailed Subaru for comment, and we’ll update this story when we hear back.

The hacked admin portal is part of Subaru’s Starlink suite of connectivity features. (No relation to SpaceX satellite internet service of the same name.) Curry and Shah got in by looking up a Subaru Starlink employee’s email address on LinkedIn and resetting the worker’s password after skipping two required security questions — because it happened in a web browser on end user, not on Subaru’s servers. They also bypassed two-factor authentication by doing “the simplest thing we could think of: removing the client-side overlay from the UI.”

Although the researchers’ tests traced the location of the test vehicle back to one year, they could not rule out the possibility that authorized Subaru employees could snoop back even remotely. That’s because the test car (a 2023 Subaru Impreza Curry bought it for his mother on the condition that he could hack it) has been in use for a long time. The location data isn’t generalized to some wide swath of land, either: It’s accurate to less than 17 feet and is updated every time the engine starts.

“After searching and finding my own car dashboard, I have confirmed that the Starlink admin dashboard should have access to any Subaru in the United States, Canada, and Japan,” Curry wrote. “We wanted to confirm that we were missing nothing, so we contacted a friend and asked if we could hack his car to show that there was no requirement or feature that would prevent a full car takeover. He sent us his license plate, we pulled his car into the admin panel, then finally we added ourselves to his car.

In addition to tracking their location, the admin portal allows researchers to remotely start, stop, lock and unlock any Starlink-connected Subaru vehicle. They said Curry’s mother never received notifications that they had added themselves as authorized users, nor did she receive alerts when they unlocked her car.

They can also ask for and obtain personal information for any customer, including their emergency contacts, authorized users, home address, the last four digits of their credit card and vehicle PIN. In addition, they were able to access the owner’s support call history and previous car owners, odometer readings and sales history.

Security researchers say the tracking and security failures — which stem from an employee’s ability to access “a ton of personal information” — are hardly unique to Subaru. Wired says previous work by Curry and Shah has uncovered similar defects affecting vehicles from Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota and others.

The pair believe there is cause for serious concern about the industry’s location tracking and poor security measures. “The auto industry is unique in that an 18-year-old employee from Texas can ask for billing information on a California car, and it won’t set off any alarm bells,” Curry wrote. “This is part of their normal daily work. All employees have access to a ton of personal information, and everyone relies on trust. It seems really hard to secure these systems when such broad access is built into the system by default. “

the full report by researchers worth reading.