Subaru Software Hacked, Allowing Remote Control And Access To The Location Histories Of Millions Of Drivers
Last year Mozilla released a report showcasing how the auto industry has some of the worst privacy practices of any tech industry in America (no small feat). Massive amounts of driver behavior is collected by your car, and even more is hoovered up from your smartphone every time you connect. This data isn’t secured, often isn’t encrypted, and is sold to a long list of dodgy, unregulated middlemen.
Given the fact the U.S. is simply too corrupt to pass even a baseline privacy law, automakers and executives are never incentivized to really try very hard.
The latest case in point: hackers recently discovered that vulnerabilities in a Subaru web portal allowed them to hijack most remote car features, including the locks, the horn, and remote ignition. But they also discovered that the vulnerabilities made it possible to not only track the location of millions of Subaru drivers in real time, but a database of anywhere the car had traveled in the last year:
“…they found they could also track the Subaru’s location—not merely where it was at the moment but also where it had been for the entire year that his mother had owned it. The map of the car’s whereabouts was so accurate and detailed, Curry says, that he was able to see her doctor visits, the homes of the friends she visited, even which exact parking space his mother parked in every time she went to church.”
Great stuff! To their credit, Subaru was quick to patch the security flaws last November, but the flaws are increasingly common across an industry that simply doesn’t prioritize consumer security and privacy. The same industry also routinely lobbies against right to repair reforms (which would lower consumer costs and bring greater transparency to car privacy systems) under the pretense they’re just really super duper concerned about consumer security and privacy.
Subaru wasn’t the worst on privacy and security of all the automakers Mozilla tracked, but it was still bad. Not only do automakers fail to secure your sensitive data, they routinely monetize it in misleading and nontransparent ways, selling access to a vast array of barely regulated and extremely dodgy data brokers. Some of whom turn around and sell it to no limit of bad actors.
Congress is too corrupt to function, automakers see no incentive to really change, and consumers usually aren’t aware the problem exists in the first place, so the problem continues.