Hacking Subaru: Tracking and Controlling Cars via the Starlink Admin Panel
148 comments
·January 23, 2025like_any_other
aftbit
I was lucky to have the DCM in my 2019 Outback (which is responsible for cellular communication and thus this whole STARLINK thing) replaced with a bypass box under the warranty program related to the end of 3G service. My car was trying to go online 30 times an hour or something like that, draining the battery enough that it needed to be replaced after just 4 years. They don't have enough new DCMs so they were willing to replace it with a bypass box instead, which seems even better to me.
So at least my Subaru cannot connect to the cloud anymore. I'm sure it still stores location and telemetry data for insurance fraud reasons though.
dylan604
> So at least my Subaru cannot connect to the cloud anymore.
Sounds like something you can use to justify a higher selling price when the time comes
mmmlinux
FWIW i never replaced the 3g box in my 2018 subaru, and never have a battery drain issue. the battery did fail about 4 years in to owning the car, but it was a cell failure not a drain issue.
pfooti
My Subaru, a 2018 outback, would be completely battery dead if I left it parked for more than a week or so. Happened once at the airport, after which I started carrying a battery pack car starter. The guy at the airport who have us a jump said it happened all the time with Subarus in long term parking.
reginald78
My local mechanic said that there is a firmware update that supposedly fixes the radio drain last time I replaced the battery but I haven't looked into it. He primarily works on Subarus and it sounded like he'd seen that as a root cause of dead battery a lot.
bongodongobob
That's avg time to replace a battery.
aftbit
Hmm really? My Camry made it nearly 10 years, and my Civic still had a good battery 6 years in when I sold it.
Regardless, the battery and DCM were both tested by Subaru. The battery tested bad, and the DCM tested for a high parasitic draw. I drove the car daily, and the battery would die if I didn't drive it for 4 days. I didn't just make this up either, search "DCM parasitic draw" on Google for more. Subaru even sent me a letter outlining my options for repairs.
mattmaroon
It’s not the Starlink you’re thinking of, that’s Subaru’s name for their in-car infotaimnent system and predates the SpaceX Starlink.
So it’s just Subaru.
Also I doubt any ad partners can disable your car (outside of vulnerabilities like this). Subaru can but that’s the case with most modern vehicles.
reaperducer
Assuming it's possible to not agree to it
My new car came with something called "Google Built-In," which seems to be the bastard sibling of Google Car Play.
During the set up, if you'd like to read the privacy policy, you must scan a QR code on your phone, which opens a web page that does not display on mobile devices.
If you'd like to opt-out of anything, you have to create a Google account, then log the car into that Google account, then log into that Google account on your phone, then go hunting for the settings on both the car and in the Google account online. Good luck finding them all.
Also, it is not possible to uninstall certain "essential" Google apps from the car. Apparently, YouTube is now an "essential" part of driving.
dantillberg
Last year, I submitted a "right to know" request to Subaru, and they sent the following back. I've reformatted it for legibility. Basically asserts they'll do and sell whatever they want (except another car to me).
> Subaru may collect the following personal information about a consumer:
> Categories of personal information:
> Identifiers: Consumer records, Commercial information, Internet or Other Electronic Network Activity, Audio recordings, Vehicle geolocation, Professional or employee-related information, Inferences, Sensitive personal information
> Categories of sources from which the personal information is collected: Retailers, i.e. authorized Subaru dealerships , Provided by consumer or vehicle, Third parties
> Business or commercial purpose for which Subaru collects or sells personal information: To provide services to the consumer, To market goods and services to consumers, To provide marketing by third parties for third party goods and/or services, To comply with legal obligation
> Categories of third parties with whom the personal information is shared: Business service providers, Contractors, Retailers, Corporate parent and affiliates, Third party providers of goods and/or services, Entities required to comply with the law
> Categories of personal information sold: Identifiers for third party marketing of goods or services., Consumer records for third party marketing of goods or services
> Categories of personal information disclosed for business purpose: Identifiers are disclosed to service providers, contractors, and third parties., Consumer records are disclosed to service providers, contractors, and third parties., Commercial information is disclosed to service providers, contractors, and third parties., Internet or other electronic information is disclosed to service providers, contractors, and third parties., Vehicle geolocation is disclosed to service providers., Inferences are disclosed to service providers and contractors., Sensitive personal information is disclosed to service providers and contractors.
mavdi
Not surprised. I've had a few interactions with Subaru connected services dev team as an external contractor from another car company, everyone was everyone else's cousin, friend, homeboy from India. Nepotism was rampant, no one wanted to listen to advice, a strong culture of corporate antibodies had formed. I'm surprised they even got it to work at this level.
duxup
I love my Subaru as far as reliability, all wheel drive performance in snow and ice, and such.
But OMG it's consumer tech was dated when I bough it, and it's just full of inexplicable issues and caveats and such. Even just the limitations and the UX issues are so obvious that it sends a message that if they tried to fix them they would introduce just as many new issues. I'm at the point where despite the car being good, I'm not interested in a new one from Subaru.
I just want carplay or android auto whatever similar services a given mobile OS provides to do similar things. That's it, every time it's something else (even when offering car play) from a car maker it is so bad and so naively built that it makes me less confidant in that company.
I know, they want my data and all and that's the motivation, but man it's just such a downer with every system.... and here I am with a good car in most respects and I'm not planning on buying from them again.
numpad0
I suspect it has to do with slow adoption of CarPlay/Android Auto in Japan - everyone still options aftermarket infotainment at dealerships and happier about it than with phone-based experiences. From a random Google search result[1]:
> More than three-fourths (79%) cite the built-in navigation system. However, this percentage has decreased from 81% in 2022 and 82% in 2021. Use of Android Auto/Apple CarPlay apps is increasingly the preferred system, with 7% of users citing this in 2023, compared with 5% in 2022 and 3% in 2021.
UI/UX and especially overall experience polish had always been a major challenge for Japanese engineering. Everything is committee designed in perpetual intra-company tug of war, and it shows as a "family sized mega pack" UI consists of bunch of snippet codes each with an attention grab dialog to prove its worth. That was clearly one of major causes that led to total collapse of domestic phone industry and iPhone dominance, but I suppose it hasn't affected car infotainment, or mass market cars in general.
1: https://japan.jdpower.com/sites/japan/files/file/2023-11/202...
duxup
>UI/UX and especially overall experience polish had always been a major challenge for Japanese engineering.
I can believe it. The whole issue of "Japanese video game companies don't understand the internet" to some extent still feels like it is an issue at times.
For a while it felt like we got late 1990s solutions in the mid 2010s... it's gotten better-ish in the land of video games, but man it's so bad at times still.
scottbez1
Hmm this is really different than my experience with a 2018 Crosstrek, so maybe things have changed? When I bought it, Subaru was among the earlier CarPlay/Android Auto adopters (we specifically ruled out a new model year Prius because it lacked it and we couldn't wait a year to replace our totaled car), and other than a very rare issue where the head unit screen doesn't turn on, it's been pretty rock solid with both phone OSes.
Environmental controls are all physical hardware, CarPlay/AA is integrated well, etc; I can't really complain about any UX in the car.
The only UX gripe I can think of is that Apple doesn't let you use natural touch inputs to pan/zoom a map (instead forcing you to tap to bring up on-screen d-pad, then keep tapping the tiny button targets while trying to keep an eye on the road), but that's entirely on Apple; Android Auto allows normal 2 finger pan/zoom, so it's not a Subaru problem.
blackeyeblitzar
Subaru infotainment is also very controlling. Want to use the keypad while you’re taking a phone call on the go? No, it won’t let you if the car is moving. You’ll need to use your phone’s UI. Other CarPlay cars don’t do this.
js2
My 2017 Mazda with CarPlay does something similar. It truncates any lists (songs, podcast episodes, contacts, etc) that CarPlay displays to 10 items. All it does is incentivize folks to use their phone. It's incredibly annoying because the Mazda command dial for interacting with CarPlay is otherwise excellent and I don't think that limiting the list size does anything to reduce distraction.
spelunker
I have a car from another Japanese manufacturer (Mazda) - their connected services app is weird and clunky and was down twice this month. And I'm expected to pay $10/month for this thing after the first year! Cmon.
ajsnigrutin
yep...
there was a tv ad for subaru vehicles a couple of years ago (not that long!), and during the ad, they showed the infotainment system, where the user pans the map on the navigation touchscreen, and the map moves at maybe 1fps! in an ad!
I kinda wish they standardized the car interface for tablets (like android auto, but more features), where you could just buy a tablet and insert it in (like din slots for radio, but tablet-sized), and the car would expose some non-critical interfaces to the tablet (AC,...), and you could just buy a replacement tablet if needed. Cars are made to last 10, 15, even more years, while the computers/entertainment devices move a lot faster, and that includes the connectivity (many cars on the streets today were made before 4g, and 3g is mostly dead).
monitorlizard
This is a genuinely good idea for a business that I think you should explore further if you have the bandwidth.
Cumpiler69
[flagged]
duxup
Working across cultures is so wild.
I worked in situations where things were outsourced and yeah the Indian experience was horrific. But that also was influenced by the nature of the relationship.... they didn't work "for us" in any real way.
I worked for a company where we (a Midwestern company) were acquired by a valley company and at HQ there was a clear divide between the Indian (US citizens, not H1B) folks and the local CA team. It wasn't bad, but you could see it socially and feel the vibe and such.
I traveled there a few times and I was just friendly and ... man they were great. Very friendly, very professional, and highly capable.
Sometimes I think the business relationships also creates the informal "working culture" too.
UltraSane
We once hired an Indian programmer who absolutely didn't get along with his boss, who was also Indian. Turns out the boss was a Dalit and the programmer was a Brahmin. And this is how I learned about the Indian Caste system.
kccqzy
I've heard of this claim so often that I assume it to be true, though personally I've only had the fortune to work in better environments where my Indian colleagues aren't nepotistic. I suspect this might be related to the hiring bar: if a company only hires the top talent perhaps this would not be an issue.
gedy
Unfortunately I think it depends on the number and position of Indian folks.
Small numbers where you deal with people individually, I've not seen issues and it's nice to work with Indian devs.
In larger numbers or when in charge of hiring, there seems to be a prevalent issue of Indian cultural norms and favors kicking in and it can happen fast.
fullofideas
The linked article is about a fraud conducted by a few bad apples. I can see people colluding with others that are similar to them for criminal activities - gangs, drug smuggling, and probably other frauds too. I am not sure how you inferred caste based nepotism among *all* indians in tech from that article.
UltraSane
I can only say that every Indian boss I got started hiring only Indians.
Cumpiler69
For one, I didn't say "all Indians" are bad apples, just that the nepotism and cast issues are rampant enough that it's a know issue at this point in the tech industry where Indians are sometimes overrepresented.
Secondly, do you expect people to post links to all cases of Indian nepotism/cast issues in the tech industry, when Google is at your fingertips with enough cases that it's not an isolated incident? That link was one an Indian friend shared right now when I sent him the Subaru link, when I asked him if the nepotism is real.
blackeyeblitzar
> Indians are some of the most racially nepotistic out there
I’ve heard this claim made often here but never observed it in real life. I think you and others who repeat this claim are confusing nepotism with just using one’s network to accelerate hiring. If someone happens to have a social or professional network mostly of one race, that doesn’t mean they’re automatically nepotistic when they draw from that network. Somehow this label rarely arises when white managers end up with mostly white teams. Why is that?
bilekas
> I didn’t realize this data was being collected, but it seemed that we had agreed to the STARLINK enrollment when we purchased it.
This is mind blowing to me.. Number 1 why you need a car connected to the internet all the time ? And how you're not required to sign at least 10 forms to confirm you understand that ALL of your travel data will be recorded and distributed at will.
jeroenhd
> Number 1 why you need a car connected to the internet all the time
To open the car with an app (programming against Bluetooth is harder than calling a web API), or honk the horn if you lost it in a large parking lot.
> And how you're not required to sign at least 10 forms to confirm you understand that ALL of your travel data will be recorded and distributed at will.
Legally speaking, I believe that depends on your local privacy laws. Practically speaking, car makers (and government agencies) love these features for troubleshooting and tech support, or for flagging crashes before any authorities or local press have time to arrive (think Tesla).
Don't ask them about finding your stolen car, though. Then the data may suddenly not be available.
bilekas
> To open the car with an app (programming against Bluetooth is harder than calling a web API), or honk the horn if you lost it in a large parking lot
I really hope this was sarcastic. How did we ever manage to find our cars before IoT cars …
rtkwe
You can also do other stuff like start the climate controls so the car is comfortable before you reach it on hot or cold days.
beezle
Just as an aside - a friend had their car nicked in NYC this winter. He was able to tell the cops the car location from some Toyota find my car type thing. The cops said they saw nothing on the street so unless he could come and make the horn beep infront of a garage - and then get a warrant - there was nothing more to do.
He now has a new vehicle.
theonething
Is your comment supporting the find my car feature or saying it was useless?
bilekas
I'm starting to come around to the idea in general actually with all the comments promoting the benefits. I still don't see why travel locations need to be recorded though. A pining service would suffice if it was always connected.
selimthegrim
This might say more about the NYPD than Toyota
reaperducer
a friend had their car nicked in NYC this winter. He was able to tell the cops the car location from some Toyota find my car type thing. The cops said they saw nothing on the street so unless he could come and make the horn beep infront of a garage - and then get a warrant - there was nothing more to do.
Here's the way it's done with Volvos (from the manual):
If the vehicle has been stolen or otherwise used without permission, the vehicle's owner, police and Volvo Assistance can agree to track the vehicle.
Note
This applies even if the vehicle has been opened and stolen using the associated remote key.
The following needs to be done:
1. Contact Volvo Assistance and say that you need help tracking the vehicle. Tracking begins.
2. File a police report.
3. Contact Volvo Assistance again and give them the police case number.
4. Volvo Assistance notifies the police of the vehicle's location.reaperducer
honk the horn if you lost it in a large parking lot.
Solved problem since at least the late 1980's. No internet required.
dv_dt
There was a recent HN posting on the US banning Chinese car brands from being connected to the internet. https://news.ycombinator.com/item?id=42706212
If Chinese companies comply with the ban by providing car models without internet connectivity, it's hilarious to me that that the nationalist regulation could make Chinese branded vehicles more desirable from a security & privacy standpoint.
insane_dreamer
Remote start, climate etc from the app all require and always on connection (how else?). Tesla has the same thing.
I use the remote app often - quite useful.
dylan604
Remote start does not require an app nor an always on connection. I was able to do this with a key fob in the early 00s
redwall_hp
Neither does climate control. If I remote start my Civic with its fob, it will heat or cool to the desired temperature I left it on. (And it will run the defroster if it's below a certain temperature outside.)
Having to think about the climate control is an anti-feature in itself, when that's a basic thermostat feature...
insane_dreamer
I know how key fobs work, thank you.
I mean the ability to control the car remotely without line of sight or being anywhere near it, such as turning on the climate to warm up the car while still in a building so it's not freezing cold when we get back to the car with the kids, or while the car is in the garage, locking the car remotely because you're blocks away and aren't 100% sure you locked it before you left, opening the windows slightly so the car doesn't overheat in hot weather (Subaru doesn't do this unfortunately, but the Tesla does). The one thing it doesn't do which I wish it did, is roll up the windows remotely.
n_plus_1_acc
European eCall directive requires a sim card
netsharc
Hah, them being able to bypass the 2FA by commenting-out the line:
$('#securityQuestionModal').modal('show');
is... mind-boggingly stupid of whoever got the job to write that Starlink web-app.
OTOH, the hacker hijacked a Starlink employee's account to get in, isn't that over the line in terms of "ethical hacking"/legality standpoint?
bean-weevil
It may well be over the line, but it sounds like subaru is grateful for the report, so nothing will come of it. Definitely not a risk I would take.
Mountain_Skies
Back when I used to do AppSec, these types of issues were extremely common. Software developers and their managers would argue endlessly about them not being real vulnerabilities, which meant I had to put together a proof of exploitability. And since these were interdepartmental fights, office politics get involved. Just one of the dozen or so reasons why I stopped doing AppSec and went back to development.
_joel
That seems like a culture issue rather than an appsec issue?
preisschild
Or not requiring ANYTHING to authenticate in your forgetPassword endpoint, but being able to set a new password directly instead of sending a randomly generated per email / send a one time token to reset the password yourself via email
null
insane_dreamer
This one was especially egregious.
_joel
Glad they had unit and integration tests to make sure that an unauthenticated user couldn't reset passwo... oh, wait...
ben7799
I have a 2013 Outback Limited that is basically right before all this stuff got really stupid and weird. It's a great car other than it's not very fast and it gets really bad gas mileage. Amazing in the snow. I have had it since December 2012, so I've had plenty of service visits where I got newer loaners. (I special ordered my car to basically load it but not have Starlink, not have the Sunroof, but have the leather seats and the HK upgraded stereo.)
Every time I have gotten a newer Subaru as a loaner it strikes me that they are worse cars for all this new stuff. The user interface is horrible in the new ones. In a lot of cases they have a skeumorphic interface up on the touch screen that mimics the physical controls in my car! The actual physical controls are about 100x faster to operate and you quickly learn where the buttons are without looking.
I had an Ascent Onyx loaner last summer.. the entire touch screen UI looked like it was barely operating above 10fps. Just gross. Lots of the UI is black and white as well, not even tasteful grayscale. The Onyx I had also had the upgraded HK stereo and that is not as good as the one in my car as well, it sounded noticeably worse.
The electric steering on the new Subarus is terrible as well. My old Outback is not exactly a sports car but getting out of new one back into mine it feels like you're getting into a Porsche or something when you feel the hydraulic steering. Engine/Turbo lag on a lot of the new ones is gross as well.
This is of course even worse! My car only has 120k miles on it, I plan to keep it for another 4 years and then maybe give it to my kid when he gets his license. Somehow I doubt Subaru will have a competitive vehicle by then. For me to consider another one they'd really need to have an EV Outback/Forester/Ascent or a Hybrid version that gets at least 40mpg. And they need to fix all this horrible infotainment stuff in a way that the car operates better than a kids toy and actually drives well like an older Subaru. Also they need to get off the whole stupid thing with giant rims. It's supposed to be a Subaru, it needs to have tires appropriate to going relatively fast on dirt roads.
reginald78
We actually own two Outbacks, a 2011 and a 2019. Both my wife and I hate the touchscreen system in the 2019, it is full of irritating bugs and even the physical climate controls (which IIRC were going away for the 2020 model year) have horrible indicators of their status compared to the older one.
I'd say the backup camera is a welcome addition for the newer one but if the roads are even remotely dirty the camera almost immediately becomes totally obscured rendering it useless, which around here occurs at least half the year.
Combined with the battery drain issue I will probably not buy another one. At the most I'll give them a test drive to see if the control system has been returned to some semblance of sanity. Unfortunately all new cars seem to be privacy nightmares so I'm not sure how I'll avoid that.
DwnVoteHoneyPot
In addition to your comments, I think Subaru's all-wheel drive system has been switched to electrical instead of mechanical, making it worse. There are roller tests on youtube which show Subaru AWD being outperformed by Ford AWD systems.
ben7799
They have different AWD systems in different vehicles and for some vehicles there is more than one system depending on which transmission you purchased. (At least when there was a choice)
Mine is electrically controlled (and many Subarus are) but it's still connected full time. IME driving other electrically controlled non-full time systems what you feel in those are the electrically controlled clutch packs completely disconnect the rear wheels and the AWD is 100% disabled until the traction control system kicks in. Then you get a brief moment where the car feels out of control until the clutch activates the AWD. The tradeoff is that system that completely disconnects the rear wheels results in those vehicles (E.x. Honda/Toyota) getting much better fuel economy than Subarus as they operate as front-wheel drive almost all the time.
I have never been in any Subaru that behaved that way. And a roller test is not where it matters anyway. Roller tests are contrived. Where you feel the difference between permanent AWD and part-time AWD is medium and high speed situations where the vehicle starts to lose control. Most people will never put any family crossover/SUV into a situation anywhere close to the roller tests or hill ascent tests.
All of this seems to become completely meaningless with EVs being the future.
olyjohn
The CVT in combination with the terrible traction control also kills any chance you have of getting out of a stuck situation. Subaru's AWD system is now mostly just marketing. So it's basically on part with most AWD systems, because most of them really are a joke.
_huayra_
FYI for Subaru owners, you can opt out and have your data deleted anywhere in the US (not just California): https://www.subaru.com/support/consumer-privacy.html
It'll take ~6 months or so, but they will send you a confirmation email.
jcomis
fwiw I have done this and received no confirmation or anything after more than 6 months. I keep submitting, maybe its working, but it doesnt seem to actually result in a confirmable change.
for sure my retailer, which are 3rd parties according to that page, still has 100% access to the data, as they were able to tell my car was in another state when I called recently. seems pretty troubling
nyokodo
> I have done this and received no confirmation or anything after more than 6 months
Sue them, make it a class action.
simonlc
Question, if you can remote start a subaru with starlink, does that mean I could start my car from the command line during winter??? I don't pay for starlink, never really looked into it, but it sounds cheaper than installing a remote start system lol.
t1234s
Having developed back end portals like this one for much smaller companies I find it hard to believe that there is an open endpoint to reset a password without any type of verification. What goes wrong in development that this type of crap makes it to production?
duxup
It's weird, is there no feedback of any kind in these companies?
All outsourced maybe?
I don't get it. That would be a huge red flag and a fairly easy to understand / sell red flag.
t1234s
Even if it was outsourced is there zero quality control?
anarticle
Outsourcing means you want to impose an upper limit on the cost of the feature/software. Quality control may cost more, so yes!
The acceptance criteria are: service portal needs to work so employees can do xyz. The design is terrible but "works"!
Having to rearc after these terrible designs would cost more, so you can see where this is going...
rjmunro
> After reporting the vulnerability, the affected system was patched within 24 hours and never exploited maliciously.
How did they verify the never exploited maliciously part?
Did the person who's password they changed ever notice that their password didn't work any more and report the problem?
arrowleaf
Assuming `samwcurry@gmail.com` belongs to the same person who owns samcurry.net, they changed their own password.
ziddoap
Is anyone aware of a list of affected models posted anywhere? All 2015+ models?
Obviously the ability to pull up account history, previous owners, etc. is applicable to anyone with a Subaru.
But I'm curious if location history shows up for people that have Subarus and never registered Starlink/never used the app. The author says:
>but it seemed that we had agreed to the STARLINK enrollment when we purchased it.
But it's not clear to me whether "it" refers to purchasing Starlink or purchasing the vehicle.
Cerium
Purchasing the vehicle.
stuff4ben
As a DevSecOps/SRE whatever, I just gotta give props to the Subaru team for getting it patched within 24 hours. While it's just a small internal admin dashboard without real customer usage, the fact they acknowledged and fixed the issue so quickly speaks well of at least that part of Subaru IT.
> After reporting the vulnerability, the affected system was patched within 24 hours and never exploited maliciously.
So 'only' Subaru, Starlink, their business and advertising partners, and law enforcement, can remotely track (and disable - don't think you can run from the law!) your car?
> I didn’t realize this data was being collected, but it seemed that we had agreed to the STARLINK enrollment when we purchased it.
Assuming it's possible to not agree to it - does that completely disable the system, or is everyone with a Subaru just one warrant away from getting locked in their car until the police can come to arrest them? Does the car still store (I'm charitably assuming it doesn't transmit) location data, so all your friends can retroactively be identified and arrested as well, even if you never agreed to any tracking?
(To get ahead of the usual retort - haha yes, phones also track this data, therefore let's not fix any problems unless we can fix all of them at the same time. But actually let's use the other problems as an excuse to do nothing.)