Hacking Subaru: Tracking and controlling cars via the admin panel
333 comments
·January 23, 2025dantillberg
Propelloni
This is pretty well known and true for almost all car manufacturers. A few years ago there was a small upset about this [1]. My Opel (a Stellantis brand) happily shows me a message that it is now sharing my location data and that I can change that by pressing the message now -- while I drive. It never shows the message when the car is not moving. I lavishly spread a blanket of Hanlon's Razor over this.
[1] https://foundation.mozilla.org/en/privacynotincluded/article...
Melatonic
Good to know
Seems pretty blanket wide legalese. The part about audio recordings seems a bit troublesome however
cmgbhm
The non troublesome use-case is clicking the starlink button and taking to their support.
Having bought a Subaru, I really tried to see where the consent is in the process. In my case, I think it’s the account establishment process that the dealer did.
badmintonbaseba
How is that supposed to work for second hand vehicles?
NooneAtAll3
> that the dealer did
is that even legal?
can one go to court for "absence of consent"?
meristohm
In this case, how is consent revoked?
GJim
But not in the UK or EU.
Need I say which law protects us..... the one a significant number of HN readers (a technical news site!) appear to remain in shocking ignorance of?
robertlagrant
You can do this in the UK or EU if you like; you just need to have permission to do so from the data subject.
Eavolution
How does that work if the car's sold? The car itself doesn't know it's been sold.
mavdi
Not surprised. I've had a few interactions with Subaru connected services dev team as an external contractor from another car company, everyone was everyone else's cousin, friend, homeboy from India. Nepotism was rampant, no one wanted to listen to advice, a strong culture of corporate antibodies had formed. I'm surprised they even got it to work at this level.
duxup
I love my Subaru as far as reliability, all wheel drive performance in snow and ice, and such.
But OMG it's consumer tech was dated when I bough it, and it's just full of inexplicable issues and caveats and such. Even just the limitations and the UX issues are so obvious that it sends a message that if they tried to fix them they would introduce just as many new issues. I'm at the point where despite the car being good, I'm not interested in a new one from Subaru.
I just want carplay or android auto whatever similar services a given mobile OS provides to do similar things. That's it, every time it's something else (even when offering car play) from a car maker it is so bad and so naively built that it makes me less confidant in that company.
I know, they want my data and all and that's the motivation, but man it's just such a downer with every system.... and here I am with a good car in most respects and I'm not planning on buying from them again.
numpad0
I suspect it has to do with slow adoption of CarPlay/Android Auto in Japan - everyone still options aftermarket infotainment at dealerships and happier about it than with phone-based experiences. From a random Google search result[1]:
> More than three-fourths (79%) cite the built-in navigation system. However, this percentage has decreased from 81% in 2022 and 82% in 2021. Use of Android Auto/Apple CarPlay apps is increasingly the preferred system, with 7% of users citing this in 2023, compared with 5% in 2022 and 3% in 2021.
UI/UX and especially overall experience polish had always been a major challenge for Japanese engineering. Everything is committee designed in perpetual intra-company tug of war, and it shows as a "family sized mega pack" UI consists of bunch of snippet codes each with an attention grab dialog to prove its worth. That was clearly one of major causes that led to total collapse of domestic phone industry and iPhone dominance, but I suppose it hasn't affected car infotainment, or mass market cars in general.
1: https://japan.jdpower.com/sites/japan/files/file/2023-11/202...
duxup
>UI/UX and especially overall experience polish had always been a major challenge for Japanese engineering.
I can believe it. The whole issue of "Japanese video game companies don't understand the internet" to some extent still feels like it is an issue at times.
For a while it felt like we got late 1990s solutions in the mid 2010s... it's gotten better-ish in the land of video games, but man it's so bad at times still.
scottbez1
Hmm this is really different than my experience with a 2018 Crosstrek, so maybe things have changed? When I bought it, Subaru was among the earlier CarPlay/Android Auto adopters (we specifically ruled out a new model year Prius because it lacked it and we couldn't wait a year to replace our totaled car just for CarPlay/AA), and other than a very rare issue where the head unit screen doesn't turn on, it's been pretty rock solid with both phone OSes.
Environmental controls are all physical hardware, CarPlay/AA is integrated well, etc; I can't really complain about any UX in the car.
The only UX gripe I can think of is that Apple doesn't let you use natural touch inputs to pan/zoom a map (instead forcing you to tap to bring up on-screen d-pad, then keep tapping the tiny button targets while trying to keep an eye on the road), but that's entirely on Apple; Android Auto allows normal 2 finger pan/zoom, so it's not a Subaru problem.
indymike
I have a 2018 Crosstrek and a 2024 Outback. They both are really, really, good, and here are the two rough edges.
* Crosstrek doesn't do wireless CP/AA, and the USB only supplies 1.5a, so it sometimes isn't enough to charge the phone while listening to music and navigating. This is a common problem in 2018 vehicles. USB-C had not conquered the world yet.
* Outback has a big screen. The only complaint is that it is too aggressive, telling users no because the vehicle is moving. Passenger operating the touch screen is a thing, and nothing is worse than having to pull over so someone can change a setting. Also, it is a very bad experience to be going 70MPH, tap a button, and be told no - will be interesting to see if this causes accidents where people momentarily stop paying attention to the road because they are raging to the touch screen.
One thing that is really nice about Subaru is that the controls just evolve a little from model year to model year. When I got the Outback, there were only a few buttons that had moved to get used to. Aside from climate control, almost everything has buttons, and most of the time, they are on a stalk or steering wheel.
There is no cure for digital privacy in any modern car. And there is no consumer choice to enable or disable data sharing. We need some legislative intervention here.
wildzzz
I noticed that too with CarPlay. Trying to pan around in Waze is impossible but doing it in Android Auto is very easy. The one nice thing about CarPlay Waze is that it allows keyboard input, Android Auto (at least in my Subaru) only allows for speech to text when searching locations.
syndeo
It's something about how they have it configured. I have a '17 Honda Civic and its built-in CarPlay lets me pan and scroll just fine. However, on my '23 Ascent, I have to tap arrows to pan the map, and vertical "scrolling" is actually just pagination. Same iPhone, different behavior. It must be some simple config toggle on Subaru's end that they left off for whatever reason.
lfshammu
2018 is the last year some Subaru models had non-terrible head units. The iPad style vertically oriented screen are the problematic type.
Physical controls are gone, the UX is terrible, and the hardware is underpowered post 2018.
marcellus23
> that's entirely on Apple
CarPlay supports pan gestures based on configuration provided to it by the car maker. This is entirely on Subaru for misconfiguring their CarPlay integration.
ajsnigrutin
yep...
there was a tv ad for subaru vehicles a couple of years ago (not that long!), and during the ad, they showed the infotainment system, where the user pans the map on the navigation touchscreen, and the map moves at maybe 1fps! in an ad!
I kinda wish they standardized the car interface for tablets (like android auto, but more features), where you could just buy a tablet and insert it in (like din slots for radio, but tablet-sized), and the car would expose some non-critical interfaces to the tablet (AC,...), and you could just buy a replacement tablet if needed. Cars are made to last 10, 15, even more years, while the computers/entertainment devices move a lot faster, and that includes the connectivity (many cars on the streets today were made before 4g, and 3g is mostly dead).
monitorlizard
This is a genuinely good idea for a business that I think you should explore further if you have the bandwidth.
emeril
i have such a subaru - the nav is a joke - the whole UX for their GUI is bad but the car seems mostly okay
recently got a mazda - seems generally better though I think most car interfaces are crap
da768
Look into "iDatalink" aftermarket radios
oremolten
unfortunately the entire global system is designed so that more has to be sold than last year. in the US as a publicly traded corporation you are legally liable to make more than the year before... we're lucky cars even last as long as they do now...
blackeyeblitzar
Subaru infotainment is also very controlling. Want to use the keypad while you’re taking a phone call on the go? No, it won’t let you if the car is moving. You’ll need to use your phone’s UI. Other CarPlay cars don’t do this.
js2
My 2017 Mazda with CarPlay does something similar. It truncates any lists (songs, podcast episodes, contacts, etc) that CarPlay displays to 10 items. All it does is incentivize folks to use their phone. It's incredibly annoying because the Mazda command dial for interacting with CarPlay is otherwise excellent and I don't think that limiting the list size does anything to reduce distraction.
OptionOfT
My BMW does the same. I can't use the CarPlay keyboard while moving.
It is especially annoying since the car does not (can not) distinguish between me or the missus pressing the touch screen.
Melatonic
I purposesly bought the last Subaru without Carplay/Android Auto for this reason - I could upgrade my head unit but I like the slightly more oldschool one.
The touchscreen is slow to respond and has few options and the only way to really connect a phone is bluetooth or 3.5mm . It really just does music and calls. However long term I was a lot more confident in phones supporting backwards compatiblity for bluetooth vs Subaru keeping carplay/android auto up to date - and I plan to keep this thing for a very long time
yesiamyourdad
I loved mine until the transmission blew out at 96,000 miles. Could be a one-off, but then a friend bought a used one with 108,000 miles, and the dealer proudly noted that it had a new transmission just installed. I think that vaunted reliability is gone.
That aside, the one thing I haven't liked is the electronics. Many times it gets out of sync with the phone and simply can't connect, the only fix is to shut the car off, open the door so the stereo shuts off, then restart the car. The FM radio also quit working at one point, which I didn't really care about, but the dealer applied a software update and it started working again. That's just the visible stuff though, so much of the car is software controlled now, I think you have to start taking any software issues as a warning about the overall car.
quickthrowman
The boxer engines also burn oil like crazy after like 75k miles, I gave up on Subaru and got a RAV4.
ellisd
Subaru's in-vehicle entertainment technology has long been criticized, even before features like CarPlay became standard. Take my 2012 WRX, for example—its Bluetooth reception was the worst I've ever experienced in a Bluetooth-equipped vehicle. Audio feeds would randomly pop and drop out during podcasts, even when the phone was within a two-foot radius of the deck.
Over the years, I tried multiple iOS and Android phones, but nothing improved the situation. Ultimately, the only solution was a complete deck replacement. Now, I’m using a "Joying" Android head unit with a rip-off version of CarPlay, which has finally resolved these issues.
spelunker
I have a car from another Japanese manufacturer (Mazda) - their connected services app is weird and clunky and was down twice this month. And I'm expected to pay $10/month for this thing after the first year! Cmon.
Cumpiler69
[flagged]
duxup
Working across cultures is so wild.
I worked in situations where things were outsourced and yeah the Indian experience was horrific. But that also was influenced by the nature of the relationship.... they didn't work "for us" in any real way.
I worked for a company where we (a Midwestern company) were acquired by a valley company and at HQ there was a clear divide between the Indian (US citizens, not H1B) folks and the local CA team. It wasn't bad, but you could see it socially and feel the vibe and such.
I traveled there a few times and I was just friendly and ... man they were great. Very friendly, very professional, and highly capable.
Sometimes I think the business relationships also creates the informal "working culture" too.
UltraSane
We once hired an Indian programmer who absolutely didn't get along with his boss, who was also Indian. Turns out the boss was a Dalit and the programmer was a Brahmin. And this is how I learned about the Indian Caste system.
kccqzy
I've heard of this claim so often that I assume it to be true, though personally I've only had the fortune to work in better environments where my Indian colleagues aren't nepotistic. I suspect this might be related to the hiring bar: if a company only hires the top talent perhaps this would not be an issue.
gedy
Unfortunately I think it depends on the number and position of Indian folks.
Small numbers where you deal with people individually, I've not seen issues and it's nice to work with Indian devs.
In larger numbers or when in charge of hiring, there seems to be a prevalent issue of Indian cultural norms and favors kicking in and it can happen fast.
fullofideas
The linked article is about a fraud conducted by a few bad apples. I can see people colluding with others that are similar to them for criminal activities - gangs, drug smuggling, and probably other frauds too. I am not sure how you inferred caste based nepotism among *all* indians in tech from that article.
Cumpiler69
For one, I didn't say "all Indians" are bad apples, just that the nepotism and cast issues are rampant enough that it's a know issue at this point in the tech industry where Indians are sometimes overrepresented.
Secondly, do you expect people to post links to all cases of Indian nepotism/cast issues in the tech industry, when Google is at your fingertips with enough cases that it's not an isolated incident? That link was one an Indian friend shared right now when I sent him the Subaru link, when I asked him if the nepotism is real.
UltraSane
I can only say that every Indian boss I got started hiring only Indians.
blackeyeblitzar
> Indians are some of the most racially nepotistic out there
I’ve heard this claim made often here but never observed it in real life. I think you and others who repeat this claim are confusing nepotism with just using one’s network to accelerate hiring. If someone happens to have a social or professional network mostly of one race, that doesn’t mean they’re automatically nepotistic when they draw from that network. Somehow this label rarely arises when white managers end up with mostly white teams. Why is that?
Cumpiler69
> Somehow this label rarely arises when white managers end up with mostly white teams. Why is that?
Easy: If you're in a country that's ~90% white, why would it be a surprise that 90% of the labor ends up being white? Are you seriously trying to play dumb and question obvious stuff like demographics under the nepotism/racism playing card? Similarly, why would it be surprising that a team in India is ~100% Indians?
But if in a country with a majority white demographic, Indian managers hire their wives, extended family members and Indian connection to work in their teams, therefore excluding a lot of the local, mostly white candidates, from the resume pile out of the get-go, you can't not raise eyebrows and assume potential discriminatory hiring practices, which are illegal in most western nations.
xp84
First of all the term nepotism doesn’t get used there because white managers with mostly white teams simply get called racist, and “in violation of our DEI policy.”
For white people, just having your whole network be mostly white is itself said to be a red flag to a lot of people, regardless of how it came to be that way. So the same should apply to Indian people too. Their network ought to be more diverse if that’s the only place they are going to hire from.
(Or else we can drop the quotas, and hire on merit only - I’m absolutely fine with that!)
Personally my network has plenty of both. I’ve worked with some incredible Indian, American, and Indian-American people and they’ve each earned my respect.
netsharc
Hah, them being able to bypass the 2FA by commenting-out the line:
$('#securityQuestionModal').modal('show');
is... mind-boggingly stupid of whoever got the job to write that Starlink web-app.
OTOH, the hacker hijacked a Starlink employee's account to get in, isn't that over the line in terms of "ethical hacking"/legality standpoint?
Mountain_Skies
Back when I used to do AppSec, these types of issues were extremely common. Software developers and their managers would argue endlessly about them not being real vulnerabilities, which meant I had to put together a proof of exploitability. And since these were interdepartmental fights, office politics get involved. Just one of the dozen or so reasons why I stopped doing AppSec and went back to development.
_joel
That seems like a culture issue rather than an appsec issue?
solatic
I left security work for a similar reason. In most companies, Security isn't there to collaboratively build more reliable and dependable products that protect customer privacy, bringing in a useful perspective of how things can go wrong, similar to QA's role. Instead, Security is there to be the internal police, who treat engineers (and other employees) like criminals, and get recognition and rewards for stopping the company from shipping. The way the vast majority of companies treat Security is deeply dysfunctional and soul-killing to anyone who wants to bring a glass-half-full mentality to work. And in an industry where it has become practically an expectation for people to jump ship after ~4 years, that's too much of a career risk to take. (side note: QA has exactly the same problem.)
bagels
If most of your customers are like this, does the distinction matter?
dboreham
It's the toxic culture that creates the security issues. Because people who won't listen to others end up doing stupid things.
yesiamyourdad
"no matter what they tell you, it's always a people problem." - Gerald Weinberg
amatecha
I was about to say exactly this. This is like REALLY BASIC stuff in designing web services. The fact you can reset the password with a single HTTP POST is mind-boggling, bypassing the 2FA by hiding a <div> is mind-boggling. Like, completely negligent. (btw they took over a Subaru employee account, not Starlink)
preisschild
Or not requiring ANYTHING to authenticate in your forgetPassword endpoint, but being able to set a new password directly instead of sending a randomly generated per email / send a one time token to reset the password yourself via email
xp84
To me that sounds exactly like what I would expect from some of the junior developers I’ve met in recent years. Most of the business logic in JavaScript. Poor modeling of a client-server relationship, and no consideration of which parts of the system can be trusted. The design was based on the non-technical requirements doc or the mockups, and an inexperienced front-end developer asked the inexperienced backend guy (or maybe they’re the same person) for an endpoint, and for the inputs, he mapped directly the fields in the form.
Thankfully, even AI writes better code than this, so as this type of developer quickly becomes unemployable over the next few years, I think we’ll see a temporary increase in code quality.
null
insane_dreamer
This one was especially egregious.
bean-weevil
It may well be over the line, but it sounds like subaru is grateful for the report, so nothing will come of it. Definitely not a risk I would take.
anentropic
It's like they had no idea of how 2FA is supposed to work apart from what it looks like as a user
null
mattsimpson
This is exactly what I came here to say as well. Whoever wrote this fundamentally just doesn't get it.
This whole thing is honestly what I've suspected/expected owning this car, but it's somehow still surprising to see. My guess is no car company does this really well right now, and makes me want to drive a 1998 Acura Integra instead.
_joel
Glad they had unit and integration tests to make sure that an unauthenticated user couldn't reset passwo... oh, wait...
bilekas
> I didn’t realize this data was being collected, but it seemed that we had agreed to the STARLINK enrollment when we purchased it.
This is mind blowing to me.. Number 1 why you need a car connected to the internet all the time ? And how you're not required to sign at least 10 forms to confirm you understand that ALL of your travel data will be recorded and distributed at will.
dv_dt
There was a recent HN posting on the US banning Chinese car brands from being connected to the internet. https://news.ycombinator.com/item?id=42706212
If Chinese companies comply with the ban by providing car models without internet connectivity, it's hilarious to me that that the nationalist regulation could make Chinese branded vehicles more desirable from a security & privacy standpoint.
reaperman
The current 100% tariff on Chinese EV’s will negate that advantage for American consumers.
jmward01
In the short term. In the medium term it just means that when they finally do break in they will demolish the incumbent. This is exactly what happened with the US auto industry in the 80. Protecting an industry with tariffs and legislation often makes that industry lazy and slow to innovate and eventually just kills it because they have forgotten how to compete.
jajko
Europe doesn't have that high tariffs on them, neither does rest of the world. Chinese manufacturers will continue their global meteoric rise whether they are successful in US or not, its just 4% of population even if wealthy.
And if they actually do provide better cars (more secure and respecting privacy while massively cheaper), who am I to complain.
jeroenhd
> Number 1 why you need a car connected to the internet all the time
To open the car with an app (programming against Bluetooth is harder than calling a web API), or honk the horn if you lost it in a large parking lot.
> And how you're not required to sign at least 10 forms to confirm you understand that ALL of your travel data will be recorded and distributed at will.
Legally speaking, I believe that depends on your local privacy laws. Practically speaking, car makers (and government agencies) love these features for troubleshooting and tech support, or for flagging crashes before any authorities or local press have time to arrive (think Tesla).
Don't ask them about finding your stolen car, though. Then the data may suddenly not be available.
bilekas
> To open the car with an app (programming against Bluetooth is harder than calling a web API), or honk the horn if you lost it in a large parking lot
I really hope this was sarcastic. How did we ever manage to find our cars before IoT cars …
rtkwe
You can also do other stuff like start the climate controls so the car is comfortable before you reach it on hot or cold days.
beezle
Just as an aside - a friend had their car nicked in NYC this winter. He was able to tell the cops the car location from some Toyota find my car type thing. The cops said they saw nothing on the street so unless he could come and make the horn beep infront of a garage - and then get a warrant - there was nothing more to do.
He now has a new vehicle.
reaperducer
a friend had their car nicked in NYC this winter. He was able to tell the cops the car location from some Toyota find my car type thing. The cops said they saw nothing on the street so unless he could come and make the horn beep infront of a garage - and then get a warrant - there was nothing more to do.
Here's the way it's done with Volvos (from the manual):
If the vehicle has been stolen or otherwise used without permission, the vehicle's owner, police and Volvo Assistance can agree to track the vehicle.
Note
This applies even if the vehicle has been opened and stolen using the associated remote key.
The following needs to be done:
1. Contact Volvo Assistance and say that you need help tracking the vehicle. Tracking begins.
2. File a police report.
3. Contact Volvo Assistance again and give them the police case number.
4. Volvo Assistance notifies the police of the vehicle's location.selimthegrim
This might say more about the NYPD than Toyota
bilekas
I'm starting to come around to the idea in general actually with all the comments promoting the benefits. I still don't see why travel locations need to be recorded though. A pining service would suffice if it was always connected.
theonething
Is your comment supporting the find my car feature or saying it was useless?
reaperducer
honk the horn if you lost it in a large parking lot.
Solved problem since at least the late 1980's. No internet required.
afh1
All cars in Europe must be connected to the internet at all times by law, to determine their location, in case of an accident the law states.
https://europa.eu/youreurope/citizens/travel/security-and-em...
In the US a bill was passed requiring driver impairment equipment on all vehicles and automatic deactivation of the vehicle if the driver is determined to be impaired. Current impairment technology monitors head and eye movement and/or blood or breath.
hulium
> All cars in Europe must be connected to the internet at all times by law, to determine their location
The source you link very explicitly contradicts that:
> Your eCall system is only activated if your vehicle is involved in a serious accident. The rest of the time the system remains inactive. This means that when you are simply driving your vehicle, no tracking (registering your car's position or monitoring your driving) or transmission of data takes place.
KomoD
(Also not in Europe but in the EU, there's a difference)
NooneAtAll3
how does it determine "serious accident"?
bilekas
> All cars in Europe must be connected to the internet at all times by law, to determine their location, in case of an accident the law states.
It isn't connected to 'the internet' either, its an emergency call activation service. IE you can actuvate it to call 112 (Emergency services) when needed without a charge, infact it uses a SIM card to do so.
Infact on your link it doesn't mention 'online' or 'internet' anywhere/
Angostura
That's a bizarre interpretation of 'cars in Europe must have a system to automnatically call emergency services when they crash/their airbags deploy'
iforgot22
In general, a lot of things in cars are for the law rather than the owner. I'm not saying it's a bad thing, just is what it is. Emissions is the biggest one.
insane_dreamer
Remote start, climate etc from the app all require and always on connection (how else?). Tesla has the same thing.
I use the remote app often - quite useful.
dylan604
Remote start does not require an app nor an always on connection. I was able to do this with a key fob in the early 00s
redwall_hp
Neither does climate control. If I remote start my Civic with its fob, it will heat or cool to the desired temperature I left it on. (And it will run the defroster if it's below a certain temperature outside.)
Having to think about the climate control is an anti-feature in itself, when that's a basic thermostat feature...
brookst
Key fob works great if the car is close. Remote start by app is fantastic when it’s farther away.
insane_dreamer
I know how key fobs work, thank you.
I mean the ability to control the car remotely without line of sight or being anywhere near it, such as turning on the climate to warm up the car while still in a building so it's not freezing cold when we get back to the car with the kids, or while the car is in the garage, locking the car remotely because you're blocks away and aren't 100% sure you locked it before you left, opening the windows slightly so the car doesn't overheat in hot weather (Subaru doesn't do this unfortunately, but the Tesla does). The one thing it doesn't do which I wish it did, is roll up the windows remotely.
n_plus_1_acc
European eCall directive requires a sim card
devinegan
Because it has an SOS feature.
ben7799
I have a 2013 Outback Limited that is basically right before all this stuff got really stupid and weird. It's a great car other than it's not very fast and it gets really bad gas mileage. Amazing in the snow. I have had it since December 2012, so I've had plenty of service visits where I got newer loaners. (I special ordered my car to basically load it but not have Starlink, not have the Sunroof, but have the leather seats and the HK upgraded stereo.)
Every time I have gotten a newer Subaru as a loaner it strikes me that they are worse cars for all this new stuff. The user interface is horrible in the new ones. In a lot of cases they have a skeumorphic interface up on the touch screen that mimics the physical controls in my car! The actual physical controls are about 100x faster to operate and you quickly learn where the buttons are without looking.
I had an Ascent Onyx loaner last summer.. the entire touch screen UI looked like it was barely operating above 10fps. Just gross. Lots of the UI is black and white as well, not even tasteful grayscale. The Onyx I had also had the upgraded HK stereo and that is not as good as the one in my car as well, it sounded noticeably worse.
The electric steering on the new Subarus is terrible as well. My old Outback is not exactly a sports car but getting out of new one back into mine it feels like you're getting into a Porsche or something when you feel the hydraulic steering. Engine/Turbo lag on a lot of the new ones is gross as well.
This is of course even worse! My car only has 120k miles on it, I plan to keep it for another 4 years and then maybe give it to my kid when he gets his license. Somehow I doubt Subaru will have a competitive vehicle by then. For me to consider another one they'd really need to have an EV Outback/Forester/Ascent or a Hybrid version that gets at least 40mpg. And they need to fix all this horrible infotainment stuff in a way that the car operates better than a kids toy and actually drives well like an older Subaru. Also they need to get off the whole stupid thing with giant rims. It's supposed to be a Subaru, it needs to have tires appropriate to going relatively fast on dirt roads.
01100011
I have been stranded twice because of Subaru firmware bugs which they knew about and failed to notify me. First one was the battery charging bug(which still happens even with the firmware fix, just more slowly). The second was the fuel gauge bug. This is a 2017 Outback, my second and last Subaru I'll ever own.
Regarding Starlink, there's actually a battery drain issue on older systems because the 3G modem fails to find a base station (because 3G is deprecated) and drains your battery doing retries. You can remove the Starlink module, but since the Bluetooth microphone and front speakers are routed through it, you'll lose that functionality unless you spend $80 for a dongle to restore them.
reginald78
We actually own two Outbacks, a 2011 and a 2019. Both my wife and I hate the touchscreen system in the 2019, it is full of irritating bugs and even the physical climate controls (which IIRC were going away for the 2020 model year) have horrible indicators of their status compared to the older one.
I'd say the backup camera is a welcome addition for the newer one but if the roads are even remotely dirty the camera almost immediately becomes totally obscured rendering it useless, which around here occurs at least half the year.
Combined with the battery drain issue I will probably not buy another one. At the most I'll give them a test drive to see if the control system has been returned to some semblance of sanity. Unfortunately all new cars seem to be privacy nightmares so I'm not sure how I'll avoid that.
ben7799
The 2024/2025 Ascent is what I had as a loaner that had the skeumorphic UI on the screen that looked exactly like an older Subaru's physical climate control layout.
It was a major WTF when I first saw it.
DwnVoteHoneyPot
In addition to your comments, I think Subaru's all-wheel drive system has been switched to electrical instead of mechanical, making it worse. There are roller tests on youtube which show Subaru AWD being outperformed by Ford AWD systems.
ben7799
They have different AWD systems in different vehicles and for some vehicles there is more than one system depending on which transmission you purchased. (At least when there was a choice)
Mine is electrically controlled (and many Subarus are) but it's still connected full time. IME driving other electrically controlled non-full time systems what you feel in those are the electrically controlled clutch packs completely disconnect the rear wheels and the AWD is 100% disabled until the traction control system kicks in. Then you get a brief moment where the car feels out of control until the clutch activates the AWD. The tradeoff is that system that completely disconnects the rear wheels results in those vehicles (E.x. Honda/Toyota) getting much better fuel economy than Subarus as they operate as front-wheel drive almost all the time.
I have never been in any Subaru that behaved that way. And a roller test is not where it matters anyway. Roller tests are contrived. Where you feel the difference between permanent AWD and part-time AWD is medium and high speed situations where the vehicle starts to lose control. Most people will never put any family crossover/SUV into a situation anywhere close to the roller tests or hill ascent tests.
All of this seems to become completely meaningless with EVs being the future.
olyjohn
The CVT in combination with the terrible traction control also kills any chance you have of getting out of a stuck situation. Subaru's AWD system is now mostly just marketing. So it's basically on part with most AWD systems, because most of them really are a joke.
ben7799
I'm curious which exact model/year you had and how you got stuck.
I've never even gotten anywhere near close to getting stuck in 12 years.
But I'm not a Subaru offroad enthusiast. It seems like lots of people really want to use a Subaru for situations where they should have gotten a mountain bike, dirt bike, ATV, etc..
asa400
I know this is a Subaru hate thread on a site that knows basically nothing about cars so I’m spitting into the wind here, but this is just untrue. I’ve had 3 Subarus over a 20 year period of time, driven the hell out of all of them in snow and dirt, worked on and modified all of them, and the traction control system on my most recent one is categorically, objectively better than either of the prior two. It makes about 100 more horsepower than the earliest one and still gets better fuel economy, at least in part because of the CVT, despite weighing probably 600 pounds more. The CVT works perfectly fine for anything that isn’t doing the Rubicon trail.
The AWD is one of the few remaining permanently fully engaged systems, unlike basically every other manufacturer.
You can hate on Subarus for the stuff they’re actually bad at (fuel economy, infotainment, wind noise, head gaskets in the EJ series engines) without having to make stuff up.
Melatonic
I have a CVT in my 2017 H6 Outback and the traction control is very easy to turn off. Two buttons and both the traction and spin control is off and now it is just AWD with a limited slip differential in the back (feels pretty similar to my 2006 Outback H6 which had no electronic traction control). You can wheelspin all day if you want or feather the throttle or whatever - offroad driving has been amazing
lightedman
" It's a great car other than it's not very fast and it gets really bad gas mileage."
My 2013 Outback Limited with rally package (wheel paddle shifters etc) gets 32 on the highway with my driving habits and almost 28 offroading. That's with larger tires and a disconnected swaybar for better articulation, everything else is stock. CVTs don't respond well to lead-footing.
winrid
The disconnected swaybar won't impact mileage FWIW
lightedman
It actually does when you're off-road. If you can keep all tires in contact with the ground you aren't wasting fuel spinning one that isn't in contact with the ground (I keep the traction control off when offroading to avoid the system engaging its brake-based power delivery since it isn't an actual 4x4.)
The difference has been absolutely measurable, with a ~15% increase in fuel efficiency in very hilly or rutted terrain.
_huayra_
FYI for Subaru owners, you can opt out and have your data deleted anywhere in the US (not just California): https://www.subaru.com/support/consumer-privacy.html
It'll take ~6 months or so, but they will send you a confirmation email.
jcomis
fwiw I have done this and received no confirmation or anything after more than 6 months. I keep submitting, maybe its working, but it doesnt seem to actually result in a confirmable change.
for sure my retailer, which are 3rd parties according to that page, still has 100% access to the data, as they were able to tell my car was in another state when I called recently. seems pretty troubling
nyokodo
> I have done this and received no confirmation or anything after more than 6 months
Sue them, make it a class action.
gruez
That's not how lawsuits work. You can't sue just because you don't like something. You have to prove harm. "not getting confirmation" hardly counts, especially if said confirmation isn't required by law.
plagiarist
I wish that keeping this much data was a liability. I want companies to be liable for damages in the millions of dollars if they share an entire year's worth of location data without express permission from the vehicle owner. HIPAA for "just" PII.
neeeeeeal
This is the way. What legitimate interest could Subaru have in maintaining this much data about their customers?
genewitch
The most charitable guess I can make is that they use it to improve their driver assist, lane keeping, pacing, and that sort of thing.
location and g force and direction when the automated system shuts off and returns control to the driver, that sort of thing. I don't agree with it, but that would be my guess.
I own a Subaru that does this, so I'm not happy about it, but what can I do?
That's rhetorical.
TheCondor
Are you new?
That stuff is probably more valuable than many of us want to admit. There is the maybe more noble value: training data for maps, traffic analysis AI, engineering duty cycle data, things like that. Then there are the other uses, for example various surveys and studies are needed for new roads or signal changes, can this kind of data proxy for that? We would be talking about cutting millions of dollars out of some of these projects and months or even years off a timeline. Then the ad-tech, where do you put billboards and signage? Where do you build a shop? Probably other uses we aren’t even thinking about.
ndileas
Unfortunately, selling it to repo men is a widely accepted practice.
SoftTalker
So, make your payments.
mschuster91
The same thing all car manufacturers are after... AI. And I'm not joking this time.
Cars have become a commodity, especially since China made their first vehicles that didn't get outright banned in Europe for being too unsafe to be roadworthy, and even some nominally "entry level" cars have more horsepower under the hood than a 1990s 7-series BMW (138 kW). Strict requirements on emissions, fuel consumption and crash safety have all but eliminated differences in optics (the amount of shapes is finite). So the only thing left to differentiate other than build quality (where China is rapidly catching up) is assistance systems... and there, AI is the hot craze, and AI only works when it has insane amounts of data to gobble up.
Shocka1
The well known Japanese manufacturer I used to work for sold the data. Why else?
inetknght
> I want companies to be liable for damages in the millions of dollars if they share an entire year's worth of location data without express permission from the vehicle owner.
Moreover, not just millions of dollars in aggregate, but millions of dollars per individual customer whose privacy was violated.
TheJoeMan
If I collected this much information about a single individual, I would go to jail for stalking. But with the wonders of technology, I can stalk "at scale"!
coldpie
The best case scenario for the next 5-10 years is that there will be no new federal privacy regulations. More likely, privacy regulations will be even further relaxed and customers will have even less recourse for violations.
You might have some luck pursuing this at the state level if you're lucky enough to live in a handful of states such as California or Minnesota.
plagiarist
I wish you weren't correct. It is more likely some sort of federal regulation undoes protections such as CCPA.
stuff4ben
As a DevSecOps/SRE whatever, I just gotta give props to the Subaru team for getting it patched within 24 hours. While it's just a small internal admin dashboard without real customer usage, the fact they acknowledged and fixed the issue so quickly speaks well of at least that part of Subaru IT.
simonlc
Question, if you can remote start a subaru with starlink, does that mean I could start my car from the command line during winter??? I don't pay for starlink, never really looked into it, but it sounds cheaper than installing a remote start system lol.
t1234s
Having developed back end portals like this one for much smaller companies I find it hard to believe that there is an open endpoint to reset a password without any type of verification. What goes wrong in development that this type of crap makes it to production?
duxup
It's weird, is there no feedback of any kind in these companies?
All outsourced maybe?
I don't get it. That would be a huge red flag and a fairly easy to understand / sell red flag.
t1234s
Even if it was outsourced is there zero quality control?
anarticle
Outsourcing means you want to impose an upper limit on the cost of the feature/software. Quality control may cost more, so yes!
The acceptance criteria are: service portal needs to work so employees can do xyz. The design is terrible but "works"!
Having to rearc after these terrible designs would cost more, so you can see where this is going...
iforgot22
Probably QA is only going to make sure the features work. They aren't pen-testers. At best, they might try some unexpected inputs that trigger a security vuln.
rasz
>$('#securityQuestionModal').modal('show');
Iv seen a couple of industrial deployments "secured" by a modal so Im totally buying whats in the article.
null
null
rogerhoward
I joined a startup with a product in production for a dozen or so major customers (US universities), public facing, with a slick new front and backend the team had been working hard on. I brought along a young engineer friend who had a pet interest in pentesting, so his first task before getting up speed as a dev was a security review.
He and I sat down on day one to poke around, mainly to get oriented, not expecting much l. Popped up Chrome's devtool network panel, refreshed the login page.
One of the first XHR rows was to an endpoint named “getKeys”
The return object was the root keys for the AWS prod account.
This crap is incredibly common. Maybe not that egregious, but close enough.
godber
This claims to bypass the telematics functionality:
https://www.autoharnesshouse.com/69018.html
> Note for customers retaining OEM headunit: This adapter can also be used for those wishing to remove/disable the OEM Subaru Telematics functions. This is done to eliminate the tracking cabability that Subaru has built into these vehicles. If this is you, we will need to add an additional part to this adapter to re-enable the bluetooth microphone. Please purchase the option 2 adapter near the bottom of this page for this situation.
bityard
Is there anything like this for Toyota DCM?
We bought a second-hand 2021 Highlander and thus did not sign any contract allowing our family to be tracked by Toyota. I went on a hunt recently for information on neutering the DCM but have thus far only found speculation and contradictory info.
willis936
Yeah it's bad out there. Don't do what the yahoos hacking up their harnesses have done. The Toyota DCM I'm familiar with has 3 coax antenna lines coming in. The outer 2 are cell and the inner is GPS. Pull the cell antenna cables out of the DCM and you should be good to go. Best to hunt down your vehicle's service manual and verify the procedure first.
LandoCalrissian
Awesome, thank you. Seems pretty straight forward.
godber
The info on that page seems a bit contradictory, but maybe I need more coffee.
rjmunro
> After reporting the vulnerability, the affected system was patched within 24 hours and never exploited maliciously.
How did they verify the never exploited maliciously part?
Did the person who's password they changed ever notice that their password didn't work any more and report the problem?
amatecha
Right, especially considering the Subaru Starlink service has apparently existed since 2014 or so[0], I have to wonder how long these vulnerabilities have been present.
[0] https://web.archive.org/web/20140719230852/https://www.subar...
arrowleaf
Assuming `samwcurry@gmail.com` belongs to the same person who owns samcurry.net, they changed their own password.
nkurz
I don't think that's correct. See the section in the article "Enumerating Employee Emails" which finishes "The jdoe@subaru.com (redacted) email was valid! We went back to the reset password endpoint and hit send."
Last year, I submitted a "right to know" request to Subaru, and they sent the following back. I've reformatted it for legibility. Basically asserts they'll do and sell whatever they want (except another car to me).
> Subaru may collect the following personal information about a consumer:
> Categories of personal information:
> Identifiers: Consumer records, Commercial information, Internet or Other Electronic Network Activity, Audio recordings, Vehicle geolocation, Professional or employee-related information, Inferences, Sensitive personal information
> Categories of sources from which the personal information is collected: Retailers, i.e. authorized Subaru dealerships , Provided by consumer or vehicle, Third parties
> Business or commercial purpose for which Subaru collects or sells personal information: To provide services to the consumer, To market goods and services to consumers, To provide marketing by third parties for third party goods and/or services, To comply with legal obligation
> Categories of third parties with whom the personal information is shared: Business service providers, Contractors, Retailers, Corporate parent and affiliates, Third party providers of goods and/or services, Entities required to comply with the law
> Categories of personal information sold: Identifiers for third party marketing of goods or services., Consumer records for third party marketing of goods or services
> Categories of personal information disclosed for business purpose: Identifiers are disclosed to service providers, contractors, and third parties., Consumer records are disclosed to service providers, contractors, and third parties., Commercial information is disclosed to service providers, contractors, and third parties., Internet or other electronic information is disclosed to service providers, contractors, and third parties., Vehicle geolocation is disclosed to service providers., Inferences are disclosed to service providers and contractors., Sensitive personal information is disclosed to service providers and contractors.