> Subaru may collect the following personal information about a consumer:
> Categories of personal information:
> Identifiers: Consumer records, Commercial information, Internet or Other Electronic Network Activity, Audio recordings, Vehicle geolocation, Professional or employee-related information, Inferences, Sensitive personal information
> Categories of sources from which the personal information is collected: Retailers, i.e. authorized Subaru dealerships , Provided by consumer or vehicle, Third parties
> Business or commercial purpose for which Subaru collects or sells personal information: To provide services to the consumer, To market goods and services to consumers, To provide marketing by third parties for third party goods and/or services, To comply with legal obligation
> Categories of third parties with whom the personal information is shared: Business service providers, Contractors, Retailers, Corporate parent and affiliates, Third party providers of goods and/or services, Entities required to comply with the law
> Categories of personal information sold: Identifiers for third party marketing of goods or services., Consumer records for third party marketing of goods or services
> Categories of personal information disclosed for business purpose: Identifiers are disclosed to service providers, contractors, and third parties., Consumer records are disclosed to service providers, contractors, and third parties., Commercial information is disclosed to service providers, contractors, and third parties., Internet or other electronic information is disclosed to service providers, contractors, and third parties., Vehicle geolocation is disclosed to service providers., Inferences are disclosed to service providers and contractors., Sensitive personal information is disclosed to service providers and contractors.
[1] https://foundation.mozilla.org/en/privacynotincluded/article...
Seems pretty blanket wide legalese. The part about audio recordings seems a bit troublesome however
Having bought a Subaru, I really tried to see where the consent is in the process. In my case, I think it’s the account establishment process that the dealer did.
Need I say which law protects us..... the one a significant number of HN readers (a technical news site!) appear to remain in shocking ignorance of?
But OMG it's consumer tech was dated when I bough it, and it's just full of inexplicable issues and caveats and such. Even just the limitations and the UX issues are so obvious that it sends a message that if they tried to fix them they would introduce just as many new issues. I'm at the point where despite the car being good, I'm not interested in a new one from Subaru.
I just want carplay or android auto whatever similar services a given mobile OS provides to do similar things. That's it, every time it's something else (even when offering car play) from a car maker it is so bad and so naively built that it makes me less confidant in that company.
I know, they want my data and all and that's the motivation, but man it's just such a downer with every system.... and here I am with a good car in most respects and I'm not planning on buying from them again.
> More than three-fourths (79%) cite the built-in navigation system. However, this percentage has decreased from 81% in 2022 and 82% in 2021. Use of Android Auto/Apple CarPlay apps is increasingly the preferred system, with 7% of users citing this in 2023, compared with 5% in 2022 and 3% in 2021.
UI/UX and especially overall experience polish had always been a major challenge for Japanese engineering. Everything is committee designed in perpetual intra-company tug of war, and it shows as a "family sized mega pack" UI consists of bunch of snippet codes each with an attention grab dialog to prove its worth. That was clearly one of major causes that led to total collapse of domestic phone industry and iPhone dominance, but I suppose it hasn't affected car infotainment, or mass market cars in general.
1: https://japan.jdpower.com/sites/japan/files/file/2023-11/202...
Environmental controls are all physical hardware, CarPlay/AA is integrated well, etc; I can't really complain about any UX in the car.
The only UX gripe I can think of is that Apple doesn't let you use natural touch inputs to pan/zoom a map (instead forcing you to tap to bring up on-screen d-pad, then keep tapping the tiny button targets while trying to keep an eye on the road), but that's entirely on Apple; Android Auto allows normal 2 finger pan/zoom, so it's not a Subaru problem.
there was a tv ad for subaru vehicles a couple of years ago (not that long!), and during the ad, they showed the infotainment system, where the user pans the map on the navigation touchscreen, and the map moves at maybe 1fps! in an ad!
I kinda wish they standardized the car interface for tablets (like android auto, but more features), where you could just buy a tablet and insert it in (like din slots for radio, but tablet-sized), and the car would expose some non-critical interfaces to the tablet (AC,...), and you could just buy a replacement tablet if needed. Cars are made to last 10, 15, even more years, while the computers/entertainment devices move a lot faster, and that includes the connectivity (many cars on the streets today were made before 4g, and 3g is mostly dead).
The touchscreen is slow to respond and has few options and the only way to really connect a phone is bluetooth or 3.5mm . It really just does music and calls. However long term I was a lot more confident in phones supporting backwards compatiblity for bluetooth vs Subaru keeping carplay/android auto up to date - and I plan to keep this thing for a very long time
That aside, the one thing I haven't liked is the electronics. Many times it gets out of sync with the phone and simply can't connect, the only fix is to shut the car off, open the door so the stereo shuts off, then restart the car. The FM radio also quit working at one point, which I didn't really care about, but the dealer applied a software update and it started working again. That's just the visible stuff though, so much of the car is software controlled now, I think you have to start taking any software issues as a warning about the overall car.
Over the years, I tried multiple iOS and Android phones, but nothing improved the situation. Ultimately, the only solution was a complete deck replacement. Now, I’m using a "Joying" Android head unit with a rip-off version of CarPlay, which has finally resolved these issues.
$('#securityQuestionModal').modal('show');
is... mind-boggingly stupid of whoever got the job to write that Starlink web-app.
OTOH, the hacker hijacked a Starlink employee's account to get in, isn't that over the line in terms of "ethical hacking"/legality standpoint?
Thankfully, even AI writes better code than this, so as this type of developer quickly becomes unemployable over the next few years, I think we’ll see a temporary increase in code quality.
This whole thing is honestly what I've suspected/expected owning this car, but it's somehow still surprising to see. My guess is no car company does this really well right now, and makes me want to drive a 1998 Acura Integra instead.
This is mind blowing to me.. Number 1 why you need a car connected to the internet all the time ? And how you're not required to sign at least 10 forms to confirm you understand that ALL of your travel data will be recorded and distributed at will.
If Chinese companies comply with the ban by providing car models without internet connectivity, it's hilarious to me that that the nationalist regulation could make Chinese branded vehicles more desirable from a security & privacy standpoint.
To open the car with an app (programming against Bluetooth is harder than calling a web API), or honk the horn if you lost it in a large parking lot.
> And how you're not required to sign at least 10 forms to confirm you understand that ALL of your travel data will be recorded and distributed at will.
Legally speaking, I believe that depends on your local privacy laws. Practically speaking, car makers (and government agencies) love these features for troubleshooting and tech support, or for flagging crashes before any authorities or local press have time to arrive (think Tesla).
Don't ask them about finding your stolen car, though. Then the data may suddenly not be available.
I really hope this was sarcastic. How did we ever manage to find our cars before IoT cars …
He now has a new vehicle.
Solved problem since at least the late 1980's. No internet required.
https://europa.eu/youreurope/citizens/travel/security-and-em...
In the US a bill was passed requiring driver impairment equipment on all vehicles and automatic deactivation of the vehicle if the driver is determined to be impaired. Current impairment technology monitors head and eye movement and/or blood or breath.
The source you link very explicitly contradicts that:
> Your eCall system is only activated if your vehicle is involved in a serious accident. The rest of the time the system remains inactive. This means that when you are simply driving your vehicle, no tracking (registering your car's position or monitoring your driving) or transmission of data takes place.
It isn't connected to 'the internet' either, its an emergency call activation service. IE you can actuvate it to call 112 (Emergency services) when needed without a charge, infact it uses a SIM card to do so.
Infact on your link it doesn't mention 'online' or 'internet' anywhere/
I use the remote app often - quite useful.
Every time I have gotten a newer Subaru as a loaner it strikes me that they are worse cars for all this new stuff. The user interface is horrible in the new ones. In a lot of cases they have a skeumorphic interface up on the touch screen that mimics the physical controls in my car! The actual physical controls are about 100x faster to operate and you quickly learn where the buttons are without looking.
I had an Ascent Onyx loaner last summer.. the entire touch screen UI looked like it was barely operating above 10fps. Just gross. Lots of the UI is black and white as well, not even tasteful grayscale. The Onyx I had also had the upgraded HK stereo and that is not as good as the one in my car as well, it sounded noticeably worse.
The electric steering on the new Subarus is terrible as well. My old Outback is not exactly a sports car but getting out of new one back into mine it feels like you're getting into a Porsche or something when you feel the hydraulic steering. Engine/Turbo lag on a lot of the new ones is gross as well.
This is of course even worse! My car only has 120k miles on it, I plan to keep it for another 4 years and then maybe give it to my kid when he gets his license. Somehow I doubt Subaru will have a competitive vehicle by then. For me to consider another one they'd really need to have an EV Outback/Forester/Ascent or a Hybrid version that gets at least 40mpg. And they need to fix all this horrible infotainment stuff in a way that the car operates better than a kids toy and actually drives well like an older Subaru. Also they need to get off the whole stupid thing with giant rims. It's supposed to be a Subaru, it needs to have tires appropriate to going relatively fast on dirt roads.
Regarding Starlink, there's actually a battery drain issue on older systems because the 3G modem fails to find a base station (because 3G is deprecated) and drains your battery doing retries. You can remove the Starlink module, but since the Bluetooth microphone and front speakers are routed through it, you'll lose that functionality unless you spend $80 for a dongle to restore them.
I'd say the backup camera is a welcome addition for the newer one but if the roads are even remotely dirty the camera almost immediately becomes totally obscured rendering it useless, which around here occurs at least half the year.
Combined with the battery drain issue I will probably not buy another one. At the most I'll give them a test drive to see if the control system has been returned to some semblance of sanity. Unfortunately all new cars seem to be privacy nightmares so I'm not sure how I'll avoid that.
It was a major WTF when I first saw it.
Mine is electrically controlled (and many Subarus are) but it's still connected full time. IME driving other electrically controlled non-full time systems what you feel in those are the electrically controlled clutch packs completely disconnect the rear wheels and the AWD is 100% disabled until the traction control system kicks in. Then you get a brief moment where the car feels out of control until the clutch activates the AWD. The tradeoff is that system that completely disconnects the rear wheels results in those vehicles (E.x. Honda/Toyota) getting much better fuel economy than Subarus as they operate as front-wheel drive almost all the time.
I have never been in any Subaru that behaved that way. And a roller test is not where it matters anyway. Roller tests are contrived. Where you feel the difference between permanent AWD and part-time AWD is medium and high speed situations where the vehicle starts to lose control. Most people will never put any family crossover/SUV into a situation anywhere close to the roller tests or hill ascent tests.
All of this seems to become completely meaningless with EVs being the future.
My 2013 Outback Limited with rally package (wheel paddle shifters etc) gets 32 on the highway with my driving habits and almost 28 offroading. That's with larger tires and a disconnected swaybar for better articulation, everything else is stock. CVTs don't respond well to lead-footing.
It'll take ~6 months or so, but they will send you a confirmation email.
for sure my retailer, which are 3rd parties according to that page, still has 100% access to the data, as they were able to tell my car was in another state when I called recently. seems pretty troubling
Sue them, make it a class action.
location and g force and direction when the automated system shuts off and returns control to the driver, that sort of thing. I don't agree with it, but that would be my guess.
I own a Subaru that does this, so I'm not happy about it, but what can I do?
That's rhetorical.
That stuff is probably more valuable than many of us want to admit. There is the maybe more noble value: training data for maps, traffic analysis AI, engineering duty cycle data, things like that. Then there are the other uses, for example various surveys and studies are needed for new roads or signal changes, can this kind of data proxy for that? We would be talking about cutting millions of dollars out of some of these projects and months or even years off a timeline. Then the ad-tech, where do you put billboards and signage? Where do you build a shop? Probably other uses we aren’t even thinking about.
Cars have become a commodity, especially since China made their first vehicles that didn't get outright banned in Europe for being too unsafe to be roadworthy, and even some nominally "entry level" cars have more horsepower under the hood than a 1990s 7-series BMW (138 kW). Strict requirements on emissions, fuel consumption and crash safety have all but eliminated differences in optics (the amount of shapes is finite). So the only thing left to differentiate other than build quality (where China is rapidly catching up) is assistance systems... and there, AI is the hot craze, and AI only works when it has insane amounts of data to gobble up.
Moreover, not just millions of dollars in aggregate, but millions of dollars per individual customer whose privacy was violated.
You might have some luck pursuing this at the state level if you're lucky enough to live in a handful of states such as California or Minnesota.
All outsourced maybe?
I don't get it. That would be a huge red flag and a fairly easy to understand / sell red flag.
Iv seen a couple of industrial deployments "secured" by a modal so Im totally buying whats in the article.
He and I sat down on day one to poke around, mainly to get oriented, not expecting much l. Popped up Chrome's devtool network panel, refreshed the login page.
One of the first XHR rows was to an endpoint named “getKeys”
The return object was the root keys for the AWS prod account.
This crap is incredibly common. Maybe not that egregious, but close enough.
https://www.autoharnesshouse.com/69018.html
> Note for customers retaining OEM headunit: This adapter can also be used for those wishing to remove/disable the OEM Subaru Telematics functions. This is done to eliminate the tracking cabability that Subaru has built into these vehicles. If this is you, we will need to add an additional part to this adapter to re-enable the bluetooth microphone. Please purchase the option 2 adapter near the bottom of this page for this situation.
We bought a second-hand 2021 Highlander and thus did not sign any contract allowing our family to be tracked by Toyota. I went on a hunt recently for information on neutering the DCM but have thus far only found speculation and contradictory info.
How did they verify the never exploited maliciously part?
Did the person who's password they changed ever notice that their password didn't work any more and report the problem?
[0] https://web.archive.org/web/20140719230852/https://www.subar...
[1] https://media.ccc.de/v/38c3-wir-wissen-wo-dein-auto-steht-vo...
Obviously the ability to pull up account history, previous owners, etc. is applicable to anyone with a Subaru.
But I'm curious if location history shows up for people that have Subarus and never registered Starlink/never used the app. The author says:
>but it seemed that we had agreed to the STARLINK enrollment when we purchased it.
But it's not clear to me whether "it" refers to purchasing Starlink or purchasing the vehicle.
Pulling the antenna cable is the right move.
Fun fact on car GPS: it actually feeds back through carplay so your navigation gets worse without it. What I have yet to figure out is if the network connection is given to the car through carplay.
Here's a chart of DCM fuse location by vehicle:
https://www.subaruoutback.org/threads/dcm-fuse-location-2020...
And, can this tracking be deactivated? I have a Mazda, and it required a phone call to Mazda to get it disabled.
https://www.subaru.com/support/privacy-policies/vehicle-priv...
So looks like you’re only tracked if you are signed up with Starlink, having first obtained the prerequisite MySubaru account.
Is there even a single (new) car that fits this criteria?
However a much better title would have been "Hacking Subaru: FEEL THE FREEDOM"
https://trademarks.justia.com/owners/subaru-of-new-england-i...
Related to the GM ban https://news.ycombinator.com/item?id=42734260
https://www.subaruoutback.org/threads/disconnected-cars-non-...
Guess I'll stick with old Kai Vans...
I bought a Subaru in the aughts that I absolutely loved and had assumed my next car would be from the same company. But when I test drove and looked into a new model I was shocked at how many terrible changes had been made, and I didn't even uncover half of what is in this thread.
I'm not holding my breath, but hopefully the bad press affects sales enough to make the people running this company care and alter their behavior. The mechanical cars themselves are still nice to drive, but the terrible interfaces, obscene amount of spying, and intrusively unethical behavior really kill the experience.
Sure, these data privacy issues are rampant across the automotive industry. It really isn’t just Subaru.
But really what I’m talking about is the entire product. I have no idea why people like them so much:
- Some of the worst exterior styling of any brand
- Cheap interiors that are so ugly
- Their history is riddled with major powertrain issues especially for how well-regarded they are
- Historically horrific gas mileage compared to competitors as a tradeoff for symmetrical all-wheel-drive that realistically very few of their buyers need.
- Their gas mileage isn’t bad anymore but they haven’t even released any hybrids yet, meanwhile every competitor under the sun has hybrids all over the place
- Their current infotainment system is god awful with horrendous graphics and the climate controls are stuck inside it
I think the only positive thing I can say about the brand is the they’re the last company selling a non-euro-luxury station wagon in the US, but really it’s basically a similar stance as a typical crossover SUV so you might as well buy one of those (or just get yourself a used E Class wagon and end up with a much better car).
It's actually the name of Subaru's connected infotainment system: https://www.subaru.com/vehicle-info/subaru-starlink.html
So 'only' Subaru, Starlink, their business and advertising partners, and law enforcement, can remotely track (and disable - don't think you can run from the law!) your car?
> I didn’t realize this data was being collected, but it seemed that we had agreed to the STARLINK enrollment when we purchased it.
Assuming it's possible to not agree to it - does that completely disable the system, or is everyone with a Subaru just one warrant away from getting locked in their car until the police can come to arrest them? Does the car still store (I'm charitably assuming it doesn't transmit) location data, so all your friends can retroactively be identified and arrested as well, even if you never agreed to any tracking?
(To get ahead of the usual retort - haha yes, phones also track this data, therefore let's not fix any problems unless we can fix all of them at the same time. But actually let's use the other problems as an excuse to do nothing.)
So it’s just Subaru.
Also I doubt any ad partners can disable your car (outside of vulnerabilities like this). Subaru can but that’s the case with most modern vehicles.
So at least my Subaru cannot connect to the cloud anymore. I'm sure it still stores location and telemetry data for insurance fraud reasons though.
Sounds like something you can use to justify a higher selling price when the time comes
Now very curios in this bypass box as well - I heard just manually removing the 3G SIM (supposedly easy) can also maybe cause battery issues. If the "bypass box" alleviates all potential use of the system that is ideal long term!
I do not know exactly what is transmitted or stored when you do not have an active subscription, but you are one warrant away from having the police ordering Subaru to track your car. But they would probably try this with your cell provider before they try your car manufacturer.
My new car came with something called "Google Built-In," which seems to be the bastard sibling of Google Car Play.
During the set up, if you'd like to read the privacy policy, you must scan a QR code on your phone, which opens a web page that does not display on mobile devices.
If you'd like to opt-out of anything, you have to create a Google account, then log the car into that Google account, then log into that Google account on your phone, then go hunting for the settings on both the car and in the Google account online. Good luck finding them all.
Also, it is not possible to uninstall certain "essential" Google apps from the car. Apparently, YouTube is now an "essential" part of driving.
- ez employee account takeover - as the admin panel employee you can look up the customer’s billing account info and location history, make any changes to the customer account that a customer service employee can - you can also add an arbitrary account as an authorized user for any customer - so you can now log into the regular “Subaru owner” mobile app as that account and that’s how the car-impacting parts of this vulnerability were actually performed.
That means you can activate key fob type commands and see the tracking information available through that app.
The reason I point this out is that you said “remotely disable” and “lock you in your car” - and those are both things such an app can’t do. There’s no “disable car” button in those apps.
If it’s anything like my GM car, it takes like 30 seconds for the car to act on each command you send. So you could lock someone out but if they have a key it’ll be easy for them to unlock it before you can re-lock it. And if it’s in motion you can’t stop it from the app. And finally cars don’t support locking in. They are all designed with handles that will open mechanically with either one or two pulls. Worst it can do to stop you is sound your alarm.