Subaru Software Hacked, Allowing Remote Control And Access To The Location Histories Of Millions Of Drivers
from the remote-control dept
Last year Mozilla released a report showcasing how the auto industry has some of the worst privacy practices of any tech industry in America (no small feat). Massive amounts of driver behavior is collected by your car, and even more is hoovered up from your smartphone every time you connect. This data isn’t secured, often isn’t encrypted, and is sold to a long list of dodgy, unregulated middlemen.
Given the fact the U.S. is simply too corrupt to pass even a baseline privacy law, automakers and executives are never incentivized to really try very hard.
The latest case in point: hackers recently discovered that vulnerabilities in a Subaru web portal allowed them to hijack most remote car features, including the locks, the horn, and remote ignition. But they also discovered that the vulnerabilities made it possible to not only track the location of millions of Subaru drivers in real time, but a database of anywhere the car had traveled in the last year:
“…they found they could also track the Subaru’s location—not merely where it was at the moment but also where it had been for the entire year that his mother had owned it. The map of the car’s whereabouts was so accurate and detailed, Curry says, that he was able to see her doctor visits, the homes of the friends she visited, even which exact parking space his mother parked in every time she went to church.”
Great stuff! To their credit, Subaru was quick to patch the security flaws last November, but the flaws are increasingly common across an industry that simply doesn’t prioritize consumer security and privacy. The same industry also routinely lobbies against right to repair reforms (which would lower consumer costs and bring greater transparency to car privacy systems) under the pretense they’re just really super duper concerned about consumer security and privacy.
Subaru wasn’t the worst on privacy and security of all the automakers Mozilla tracked, but it was still bad. Not only do automakers fail to secure your sensitive data, they routinely monetize it in misleading and nontransparent ways, selling access to a vast array of barely regulated and extremely dodgy data brokers. Some of whom turn around and sell it to no limit of bad actors.
Congress is too corrupt to function, automakers see no incentive to really change, and consumers usually aren’t aware the problem exists in the first place, so the problem continues.
Filed Under: automakers, cars, hackers, location data, privacy, vehicles
Companies: subaru
Comments on “Subaru Software Hacked, Allowing Remote Control And Access To The Location Histories Of Millions Of Drivers”
Their terms of service should include:
“By using our cars, you hereby grant Subaru and their partners to track your position in realtime and save every move for as long as possible to allow Subaru to make the headlines every time a security flaw is exploited.”
I really don’t understand this — most auto manufacturers operate globally. Most technical issues are of the “fix once, globally” type, and can be implemented in all regions at close to zero cost.
All these auto manufacturers, including Subaru, have to deal with the GDPR.
Which means, even with privacy legislation with teeth staring them in the face, they’re STILL the worst at data security — AND they aren’t being called to account for it, despite legislation in non-US countries that suggests they should be.
The best way to prevent this data from leaking is not to collect it in the first place.
The manual transmission is once again proving to be the best theft deterrent.
But seriously, I haven’t applied that patch that’s been sitting inbox for months….and I’m in this industry. It’s just getting out of hand.
Software need 3rd party testing as fit for service, including cybersecurity.
Or it needs PEs to sign off on the codebase for custom items.
As long as we can hack ourelves out of paying rent for heated seats or whatever.