Subaru network hack

[Kaido]

Worth the read:

Subaru’s poor security left troves of vehicle data easily accessible

Security researchers hacked into an admin portal that also let them remotely control cars. They say Subaru is only one of many automakers tracking vehicles with lax security.

www.engadget.com

After gaining access, they were able to remotely control a test vehicle and view a year’s worth of location data.

Although the researchers’ tests traced the test vehicle’s location back one year, they can’t rule out the possibility that authorized Subaru employees can snoop back even farther. That’s because the test car (a 2023 Subaru Impreza Curry bought for his mother on the condition that he could hack it) had only been in use for about that long. The location data wasn’t generalized to some broad swath of land, either: It was accurate to less than 17 feet and updated each time the engine started.

In addition to tracking their location, the admin portal allowed the researchers to remotely start, stop, lock and unlock any Starlink-connected Subaru vehicle. They said Curry’s mother never received notifications that they had added themselves as authorized users, nor did she receive alerts when they unlocked her car.

This comes after GM was found to be recording & selling user data:

General Motors Is Banned From Selling Driving Behavior Data for 5 Years

An investigation by the Federal Trade Commission determined that consumers had not been aware that the automaker was providing their driving information to data brokers.

www.nytimes.com

The New York Times reported last year that G.M. was collecting data about people’s driving behavior, including how often they sped or drove at night, and selling it to data brokers that generated risk profiles for insurance companies. Some drivers reported that their auto insurance rates increased as a result.

“G.M. monitored and sold people’s precise geolocation data and driver behavior information, sometimes as often as every three seconds,” said Lina M. Khan, the chair of the F.T.C. “With this action, the F.T.C. is safeguarding Americans’ privacy and protecting people from unchecked surveillance.”

Which comes 10 years after hackers got into a Jeep:

Hackers Remotely Kill a Jeep on the Highway—With Me in It

I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold.

www.wired.com

Horrific security all around, not to mention the privacy-violating data plundering.

 

[Torn Mind]

Hacks are like breaching locks. It’s plenty easy if you know what to do. And it all might even be intentional.

Dumb cars are going to be hot nostalgia two decades from now.

 

[evident]

I'm so glad my cars only had 3g connectivity at the latest... meaning their always on systems won't be able to work anymore.... this was for lexus enform and acura link... i'm very wary of getting a car newer than 2018.

 

[NutBucket]

Huh. Apparently my 2017 Subie needed an upgrade to move to 4G/5G connectivity. I'll have to ask the dealer if that happened...here's to hoping it didn't!

 

[Greenman]

Why does the manufacturer need all that information? Just an added income stream?

 

[evident]

big data analytics so they can optimize their software and sell you more shit, and sell your info to the insurance companies.

 

[manly]

Huh. Apparently my 2017 Subie needed an upgrade to move to 4G/5G connectivity. I'll have to ask the dealer if that happened...here's to hoping it didn't!

When BMW shut down 2G radios back in 2017, they gave customers either a retrofit or a gift card.

When 3G was shut down a few years back, affecting models newer than about 2017, they didn't offer anything.*

The cellular connectivity is good for (at least) two things: vehicle theft recovery and remote ventilation. It's not automakers' fault that 3G networks were sunset, but BMW should have handled this a lot better IMO. I absolutely miss remote ventilation in the summertime.

* No idea why lawyers never got involved. Vehicle theft recovery, in particular, is provided for 10 years from the original in service date.

 

[Kaido]

Why does the manufacturer need all that information? Just an added income stream?

Yup:

GM is selling driver data to insurers without consumers' knowledge

“GM monitored and sold people's precise geolocation data and driver behavior information, sometimes as often as every three seconds,” said FTC Chair Lina M. Khan.

 

[repoman0]

Cars spying on people and phoning home with the data is the worst timeline. I’ll stick with my dumb car.

 

[Greenman]

Cars spying on people and phoning home with the data is the worst timeline. I’ll stick with my dumb car.

Seems like the right approach. A lawsuit also seems like a good idea.

 

[NutBucket]

When BMW shut down 2G radios back in 2017, they gave customers either a retrofit or a gift card.

When 3G was shut down a few years back, affecting models newer than about 2017, they didn't offer anything.*

I bought the car about 4 months ago. Subaru did offer a retrofit but that program is supposedly expired based on what I've read.