On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK admin panel that gave us unrestricted access to all vehicles and customer accounts in the United States, Canada, and Japan.
The scary part to me (noted in the article as well) is less the technical hack but more so the amount of data they are collecting.
Subaru had/has an ongoing issue where the telematics drains the battery while the car is parked, especially if it’s parked out of reach of cell towers. With the amount of data they are sending, it’s not surprising.
There is no need for the car to report its position whatsoever unless I request assistance.
At 38C3, there was a talk about Volkswagen - a German car manufacturer - that didn’t correctly secure the data it collected from its vehicles and what you can „learn“ from this data. The talk can be found here, it’s in German but there’s also an English translation in another audio layer
The scary part to me (noted in the article as well) is less the technical hack but more so the amount of data they are collecting.
Subaru had/has an ongoing issue where the telematics drains the battery while the car is parked, especially if it’s parked out of reach of cell towers. With the amount of data they are sending, it’s not surprising.
There is no need for the car to report its position whatsoever unless I request assistance.
At 38C3, there was a talk about Volkswagen - a German car manufacturer - that didn’t correctly secure the data it collected from its vehicles and what you can „learn“ from this data. The talk can be found here, it’s in German but there’s also an English translation in another audio layer
https://media.ccc.de/v/38c3-wir-wissen-wo-dein-auto-steht-volksdaten-von-volkswagen