Last year, I submitted a "right to know" request to Subaru, and they sent the following back. I've reformatted it for legibility. Basically asserts they'll do and sell whatever they want (except another car to me).
> Subaru may collect the following personal information about a consumer:
> Categories of personal information:
> Identifiers: Consumer records, Commercial information, Internet or Other Electronic Network Activity, Audio recordings, Vehicle geolocation, Professional or employee-related information, Inferences, Sensitive personal information
> Categories of sources from which the personal information is collected: Retailers, i.e. authorized Subaru dealerships , Provided by consumer or vehicle, Third parties
> Business or commercial purpose for which Subaru collects or sells personal information: To provide services to the consumer, To market goods and services to consumers, To provide marketing by third parties for third party goods and/or services, To comply with legal obligation
> Categories of third parties with whom the personal information is shared: Business service providers, Contractors, Retailers, Corporate parent and affiliates, Third party providers of goods and/or services, Entities required to comply with the law
> Categories of personal information sold: Identifiers for third party marketing of goods or services., Consumer records for third party marketing of goods or services
> Categories of personal information disclosed for business purpose: Identifiers are disclosed to service providers, contractors, and third parties., Consumer records are disclosed to service providers, contractors, and third parties., Commercial information is disclosed to service providers, contractors, and third parties., Internet or other electronic information is disclosed to service providers, contractors, and third parties., Vehicle geolocation is disclosed to service providers., Inferences are disclosed to service providers and contractors., Sensitive personal information is disclosed to service providers and contractors.
This is pretty well known and true for almost all car manufacturers. A few years ago there was a small upset about this [1]. My Opel (a Stellantis brand) happily shows me a message that it is now sharing my location data and that I can change that by pressing the message now -- while I drive. It never shows the message when the car is not moving. I lavishly spread a blanket of Hanlon's Razor over this.
The non troublesome use-case is clicking the starlink button and taking to their support.
Having bought a Subaru, I really tried to see where the consent is in the process. In my case, I think it’s the account establishment process that the dealer did.
Not surprised. I've had a few interactions with Subaru connected services dev team as an external contractor from another car company, everyone was everyone else's cousin, friend, homeboy from India. Nepotism was rampant, no one wanted to listen to advice, a strong culture of corporate antibodies had formed. I'm surprised they even got it to work at this level.
I love my Subaru as far as reliability, all wheel drive performance in snow and ice, and such.
But OMG it's consumer tech was dated when I bough it, and it's just full of inexplicable issues and caveats and such. Even just the limitations and the UX issues are so obvious that it sends a message that if they tried to fix them they would introduce just as many new issues. I'm at the point where despite the car being good, I'm not interested in a new one from Subaru.
I just want carplay or android auto whatever similar services a given mobile OS provides to do similar things. That's it, every time it's something else (even when offering car play) from a car maker it is so bad and so naively built that it makes me less confidant in that company.
I know, they want my data and all and that's the motivation, but man it's just such a downer with every system.... and here I am with a good car in most respects and I'm not planning on buying from them again.
I suspect it has to do with slow adoption of CarPlay/Android Auto in Japan - everyone still options aftermarket infotainment at dealerships and happier about it than with phone-based experiences. From a random Google search result[1]:
> More than three-fourths (79%) cite the built-in navigation system. However, this percentage has decreased from 81% in 2022 and 82% in 2021. Use of Android Auto/Apple CarPlay apps is increasingly the preferred system, with 7% of users citing this in 2023, compared with 5% in 2022 and 3% in 2021.
That's like 80% CP/AA adoption by 2060.
UI/UX and especially overall experience polish had always been a major challenge for Japanese engineering. Everything is committee designed in perpetual intra-company tug of war, and it shows as a "family sized mega pack" UI consists of bunch of snippet codes each with an attention grab dialog to prove its worth. That was clearly one of major causes that led to total collapse of domestic phone industry and iPhone dominance, but I suppose it hasn't affected car infotainment, or mass market cars in general.
>UI/UX and especially overall experience polish had always been a major challenge for Japanese engineering.
I can believe it. The whole issue of "Japanese video game companies don't understand the internet" to some extent still feels like it is an issue at times.
For a while it felt like we got late 1990s solutions in the mid 2010s... it's gotten better-ish in the land of video games, but man it's so bad at times still.
Hmm this is really different than my experience with a 2018 Crosstrek, so maybe things have changed? When I bought it, Subaru was among the earlier CarPlay/Android Auto adopters (we specifically ruled out a new model year Prius because it lacked it and we couldn't wait a year to replace our totaled car just for CarPlay/AA), and other than a very rare issue where the head unit screen doesn't turn on, it's been pretty rock solid with both phone OSes.
Environmental controls are all physical hardware, CarPlay/AA is integrated well, etc; I can't really complain about any UX in the car.
The only UX gripe I can think of is that Apple doesn't let you use natural touch inputs to pan/zoom a map (instead forcing you to tap to bring up on-screen d-pad, then keep tapping the tiny button targets while trying to keep an eye on the road), but that's entirely on Apple; Android Auto allows normal 2 finger pan/zoom, so it's not a Subaru problem.
I have a 2018 Crosstrek and a 2024 Outback. They both are really, really, good, and here are the two rough edges.
* Crosstrek doesn't do wireless CP/AA, and the USB only supplies 1.5a, so it sometimes isn't enough to charge the phone while listening to music and navigating. This is a common problem in 2018 vehicles. USB-C had not conquered the world yet.
* Outback has a big screen. The only complaint is that it is too aggressive, telling users no because the vehicle is moving. Passenger operating the touch screen is a thing, and nothing is worse than having to pull over so someone can change a setting. Also, it is a very bad experience to be going 70MPH, tap a button, and be told no - will be interesting to see if this causes accidents where people momentarily stop paying attention to the road because they are raging to the touch screen.
One thing that is really nice about Subaru is that the controls just evolve a little from model year to model year. When I got the Outback, there were only a few buttons that had moved to get used to. Aside from climate control, almost everything has buttons, and most of the time, they are on a stalk or steering wheel.
There is no cure for digital privacy in any modern car. And there is no consumer choice to enable or disable data sharing. We need some legislative intervention here.
I noticed that too with CarPlay. Trying to pan around in Waze is impossible but doing it in Android Auto is very easy. The one nice thing about CarPlay Waze is that it allows keyboard input, Android Auto (at least in my Subaru) only allows for speech to text when searching locations.
It's something about how they have it configured. I have a '17 Honda Civic and its built-in CarPlay lets me pan and scroll just fine. However, on my '23 Ascent, I have to tap arrows to pan the map, and vertical "scrolling" is actually just pagination. Same iPhone, different behavior. It must be some simple config toggle on Subaru's end that they left off for whatever reason.
i believe it is related to the capabilities of the touch screen itself. something like "if no multi-touch available, fall back to the pan/scroll interface" makes sense to me.
CarPlay supports pan gestures based on configuration provided to it by the car maker. This is entirely on Subaru for misconfiguring their CarPlay integration.
there was a tv ad for subaru vehicles a couple of years ago (not that long!), and during the ad, they showed the infotainment system, where the user pans the map on the navigation touchscreen, and the map moves at maybe 1fps! in an ad!
I kinda wish they standardized the car interface for tablets (like android auto, but more features), where you could just buy a tablet and insert it in (like din slots for radio, but tablet-sized), and the car would expose some non-critical interfaces to the tablet (AC,...), and you could just buy a replacement tablet if needed. Cars are made to last 10, 15, even more years, while the computers/entertainment devices move a lot faster, and that includes the connectivity (many cars on the streets today were made before 4g, and 3g is mostly dead).
unfortunately the entire global system is designed so that more has to be sold than last year. in the US as a publicly traded corporation you are legally liable to make more than the year before... we're lucky cars even last as long as they do now...
Subaru infotainment is also very controlling. Want to use the keypad while you’re taking a phone call on the go? No, it won’t let you if the car is moving. You’ll need to use your phone’s UI. Other CarPlay cars don’t do this.
My 2017 Mazda with CarPlay does something similar. It truncates any lists (songs, podcast episodes, contacts, etc) that CarPlay displays to 10 items. All it does is incentivize folks to use their phone. It's incredibly annoying because the Mazda command dial for interacting with CarPlay is otherwise excellent and I don't think that limiting the list size does anything to reduce distraction.
I really like the dials some cars come with like BMWs. Subaru doesn’t have any dials at all unfortunately - just a touchscreen with really bad quality. The interface also often has buttons with very small size that make it hard to operate.
My subaru has a fairly mediocre touchscreen and interface but almost all of the things I actually use are manual controls. I usually turn the touchscreen off first thing when I get in the car (two button presses). My phone connects automatically for music and I either control through the phone or via dials (like for volume) or buttons (like for climate)
I find this restriction weird as well. I would like to not have my privacy violated by voice assistants. I just want the phone interface to be accessible through the car display and to be able to control it through a dial ideally.
On my VW I disabled this limitation with a VCDS coder. What's funny is that the flag was labeled 'nhtsa_limitation_switches_for_X' nhtsa as in National Highway Traffic Safety Administration.
I purposesly bought the last Subaru without Carplay/Android Auto for this reason - I could upgrade my head unit but I like the slightly more oldschool one.
The touchscreen is slow to respond and has few options and the only way to really connect a phone is bluetooth or 3.5mm . It really just does music and calls. However long term I was a lot more confident in phones supporting backwards compatiblity for bluetooth vs Subaru keeping carplay/android auto up to date - and I plan to keep this thing for a very long time
I loved mine until the transmission blew out at 96,000 miles. Could be a one-off, but then a friend bought a used one with 108,000 miles, and the dealer proudly noted that it had a new transmission just installed. I think that vaunted reliability is gone.
That aside, the one thing I haven't liked is the electronics. Many times it gets out of sync with the phone and simply can't connect, the only fix is to shut the car off, open the door so the stereo shuts off, then restart the car. The FM radio also quit working at one point, which I didn't really care about, but the dealer applied a software update and it started working again. That's just the visible stuff though, so much of the car is software controlled now, I think you have to start taking any software issues as a warning about the overall car.
Subaru's in-vehicle entertainment technology has long been criticized, even before features like CarPlay became standard. Take my 2012 WRX, for example—its Bluetooth reception was the worst I've ever experienced in a Bluetooth-equipped vehicle. Audio feeds would randomly pop and drop out during podcasts, even when the phone was within a two-foot radius of the deck.
Over the years, I tried multiple iOS and Android phones, but nothing improved the situation. Ultimately, the only solution was a complete deck replacement. Now, I’m using a "Joying" Android head unit with a rip-off version of CarPlay, which has finally resolved these issues.
I have a car from another Japanese manufacturer (Mazda) - their connected services app is weird and clunky and was down twice this month. And I'm expected to pay $10/month for this thing after the first year! Cmon.
I worked in situations where things were outsourced and yeah the Indian experience was horrific. But that also was influenced by the nature of the relationship.... they didn't work "for us" in any real way.
I worked for a company where we (a Midwestern company) were acquired by a valley company and at HQ there was a clear divide between the Indian (US citizens, not H1B) folks and the local CA team. It wasn't bad, but you could see it socially and feel the vibe and such.
I traveled there a few times and I was just friendly and ... man they were great. Very friendly, very professional, and highly capable.
Sometimes I think the business relationships also creates the informal "working culture" too.
We once hired an Indian programmer who absolutely didn't get along with his boss, who was also Indian. Turns out the boss was a Dalit and the programmer was a Brahmin. And this is how I learned about the Indian Caste system.
I am of Indian descent. Apparently from the penultimate caste. Anyway, I had someone from another team inform me of the inferior caste of one of our clients, and why I shouldn’t take shit from them.
That said, going back to New Delhi, at least in the circles I travelled in, it’s incredibly taboo to ask about caste. (Comparable to Americans using the n word.)
I've learned it is normally pretty easy to tell what caste someone is from.
But watching a Brahmin who really believes they are vastly better than Dalits act like as arrogant as the Goa'uld from Stargate SG1 was really something.
> I've learned it is normally pretty easy to tell what caste someone is from
With all due respect, you’ve fooled yourself into ignorance.
Many Indians haven’t had a relationship with caste for generations, particularly in the cities or upper and middle classes. (Intermarriage and wealth have rendered it indiscernible.)
There are also something like 25,000 castes and subcastes. It’s not a system designed for anyone to get right. That convolutedness is almost the point. Moreover, there are tens of millions of Indians who have never had a caste because they belong to a different religion or sect of Hinduism.
> There are also something like 25,000 castes and subcastes.
That makes it sound like castes are professions (which IIRC used to be somewhat inherited in the UK, hence names like Smith and Cooper), but where people then tried to assign ranks to those professions (like the family names Bishop and King)?
I am almost totally ignorant of how it really works, but I'm an omni-curious nerd, if you want to enlighten me :)
Yup. In the West one of the Byzantine emperors calcified the economy by making trades heritable (Justinian?). We don't know the historic source of the same in India, just that it happened earlier and was allowed to develop for much, much longer.
With respect, it is you who has fooled themselves into ignorance.
If you are open to having your views challenged (and proven wrong), please listen to The Seen And the Unseen podcast, specifically the episode with Chandra Bhan Prasad.
I've heard of this claim so often that I assume it to be true, though personally I've only had the fortune to work in better environments where my Indian colleagues aren't nepotistic. I suspect this might be related to the hiring bar: if a company only hires the top talent perhaps this would not be an issue.
Unfortunately I think it depends on the number and position of Indian folks.
Small numbers where you deal with people individually, I've not seen issues and it's nice to work with Indian devs.
In larger numbers or when in charge of hiring, there seems to be a prevalent issue of Indian cultural norms and favors kicking in and it can happen fast.
The linked article is about a fraud conducted by a few bad apples. I can see people colluding with others that are similar to them for criminal activities - gangs, drug smuggling, and probably other frauds too. I am not sure how you inferred caste based nepotism among *all* indians in tech from that article.
For one, I didn't say "all Indians" are bad apples, just that the nepotism and cast issues are rampant enough that it's a know issue at this point in the tech industry where Indians are sometimes overrepresented.
Secondly, do you expect people to post links to all cases of Indian nepotism/cast issues in the tech industry, when Google is at your fingertips with enough cases that it's not an isolated incident? That link was one an Indian friend shared right now when I sent him the Subaru link, when I asked him if the nepotism is real.
Fair enough that you did not say all Indians. But, your statement was broad enough to say nepotism is widespread among Indians in tech. And the article you linked was about fraud which doesn’t imply widespread nepotism in tech. I am not asking for articles for all instances but something that is more relevant to the point that you are making.
Sure, but if an group of Indian employees within Apple US are going out of their way to scam their employer for money, it's another black mark on the graph for that demographic being into unethical activities, since then you can't say anymore "well it's just one rouge bad apple, not representative for the whole group" when it's a coordinated effort of a whole group.
If they're wiling to go that far to scam their employer it's not a far fetch the fact they're also into nepotism when hiring.
You’re making the same mistake others here are. People hire from their networks just like they hire referrals. If you worked in India or China or wherever, you probably know some talented people of those ethnicities just as a result of your experience. Using your network to hire those talented people is normal and not discriminatory. Everyone does it. Somehow Indians are singularly attacked for it on hacker news and all kinds of assumptions (like nepotism) are made with zero evidence.
> Indians are some of the most racially nepotistic out there
I’ve heard this claim made often here but never observed it in real life. I think you and others who repeat this claim are confusing nepotism with just using one’s network to accelerate hiring. If someone happens to have a social or professional network mostly of one race, that doesn’t mean they’re automatically nepotistic when they draw from that network. Somehow this label rarely arises when white managers end up with mostly white teams. Why is that?
> Somehow this label rarely arises when white managers end up with mostly white teams. Why is that?
Easy: If you're in a country that's ~90% white, why would it be a surprise that 90% of the labor ends up being white? Are you seriously trying to play dumb and question obvious stuff like demographics under the nepotism/racism playing card? Similarly, why would it be surprising that a team in India is ~100% Indians?
But if in a country with a majority white demographic, Indian managers hire their wives, extended family members and Indian connection to work in their teams, therefore excluding a lot of the local, mostly white candidates, from the resume pile out of the get-go, you can't not raise eyebrows and assume potential discriminatory hiring practices, which are illegal in most western nations.
You’re making up the assumptions of nepotism. Everyone hires from their network or their employees’ networks. What do you think referral programs are, which are basically at every company? If you’ve worked with someone before and had a positive experience, they’re a much better bet than other candidates. Even if candidates are mostly white locally, the person doing the hiring may have past experiences where their network looks more like wherever they worked previously. That doesn’t mean they’re doing anything discriminatory or nepotistic now - they may just be hiring qualified people from their network, like everyone does.
By the way, I haven’t personally seen or heard of any examples of Indians (or other races) hiring wives and family members. This is often alleged and yet I’ve never come across a real life example. I am not saying it doesn’t happen at all, but that if it does, it is probably very rare and no different than how often it can happen with any other group. What I often see is people claiming that Indians hiring Indians (regardless of familial relations) is nepotistic, and I think that’s an assumption without basis.
First of all the term nepotism doesn’t get used there because white managers with mostly white teams simply get called racist, and “in violation of our DEI policy.”
For white people, just having your whole network be mostly white is itself said to be a red flag to a lot of people, regardless of how it came to be that way. So the same should apply to Indian people too. Their network ought to be more diverse if that’s the only place they are going to hire from.
(Or else we can drop the quotas, and hire on merit only - I’m absolutely fine with that!)
Personally my network has plenty of both. I’ve worked with some incredible Indian, American, and Indian-American people and they’ve each earned my respect.
Back when I used to do AppSec, these types of issues were extremely common. Software developers and their managers would argue endlessly about them not being real vulnerabilities, which meant I had to put together a proof of exploitability. And since these were interdepartmental fights, office politics get involved. Just one of the dozen or so reasons why I stopped doing AppSec and went back to development.
I left security work for a similar reason. In most companies, Security isn't there to collaboratively build more reliable and dependable products that protect customer privacy, bringing in a useful perspective of how things can go wrong, similar to QA's role. Instead, Security is there to be the internal police, who treat engineers (and other employees) like criminals, and get recognition and rewards for stopping the company from shipping. The way the vast majority of companies treat Security is deeply dysfunctional and soul-killing to anyone who wants to bring a glass-half-full mentality to work. And in an industry where it has become practically an expectation for people to jump ship after ~4 years, that's too much of a career risk to take. (side note: QA has exactly the same problem.)
While I'm sure that's also common, my general impression was that security was there to provide legal protection against being found to have been guilty of willful negligence if there were a breach. There wasn't a top down push for actual security but there was one for getting all the proper boxes ticked so the company could get the compliance certifications required for insurance and to make the legal department happy. Essentially it was financial risk management rather than data risk management.
That's the same pessimistic perspective. When SOC2 requires that commits be tied to reviews to show that work was visible and approved by management, and not just some cowboy engineer putting who-knows-what into production, but the control is implemented with a simple Jira issue regex so every developer just puts in place ABC-123 or ABC-999 on every commit, and anyway developers are free to open and close Jira issues without management noticing or approving, then the only people guilty of willful negligence are the so-called security engineers for putting in such weak controls and the auditors for approving them regardless, not to mention the security engineering's leadership's outright fraud for essentially lying about effective controls being in place when actually everybody internally considers it a massive joke.
The flip side of the joke being, of course, that everyone internally naturally prefers weaker controls (that help them ship faster compared) to stronger controls. So there's a wink and a nod and a smile and everyone moves on while institutionalized corruption is accepted. Nevermind that strong controls over commit messages can also help build automated documentation, notifications, and clear integrations like being able to link a production outage to the Git commit that triggered it, including full business context and knowledge of who to contact.
Note that there are two kinds of perspectives to build this kind of control - the glass-half-full perspective that builds Git -> Slack integrations to let people get notified quickly that a review was requested, including signals that this is a hotfix/simple/not-controversial/rubber-stamp to help get simple stuff approved quickly and deployed quickly, along with collaboration with auditors to get them the reports and commit samples they need. The glass-half-empty perspective is to say, well the auditors already have a built-in integration with Jira, so let's throw it in to Jira, along with a complicated and rigid workflow that forces everything to go through sprint planning and approvals by managers 3 levels up, and if it causes a production outage because something can't be fixed quickly, well that's not really Security's or Compliance's fault, the regulations are the regulations and the auditors are the auditors, and why are you trying to work around The Perfect Process That We Worked So Hard To Build, maybe you have malicious reasons hmmm? And maybe it's time we hired separate operators to run everything in production, like A Real Enterprise Company would, like some banks you've heard of?
I was about to say exactly this. This is like REALLY BASIC stuff in designing web services. The fact you can reset the password with a single HTTP POST is mind-boggling, bypassing the 2FA by hiding a <div> is mind-boggling. Like, completely negligent. (btw they took over a Subaru employee account, not Starlink)
Or not requiring ANYTHING to authenticate in your forgetPassword endpoint, but being able to set a new password directly instead of sending a randomly generated per email / send a one time token to reset the password yourself via email
To me that sounds exactly like what I would expect from some of the junior developers I’ve met in recent years. Most of the business logic in JavaScript. Poor modeling of a client-server relationship, and no consideration of which parts of the system can be trusted. The design was based on the non-technical requirements doc or the mockups, and an inexperienced front-end developer asked the inexperienced backend guy (or maybe they’re the same person) for an endpoint, and for the inputs, he mapped directly the fields in the form.
Thankfully, even AI writes better code than this, so as this type of developer quickly becomes unemployable over the next few years, I think we’ll see a temporary increase in code quality.
This is exactly what I came here to say as well. Whoever wrote this fundamentally just doesn't get it.
This whole thing is honestly what I've suspected/expected owning this car, but it's somehow still surprising to see. My guess is no car company does this really well right now, and makes me want to drive a 1998 Acura Integra instead.
I used my chrome inspector to edit a read only field in Jira. Surprisingly I was able to edit it and submit the change. It complete fucked up whatever protect we were about to use and we had to start over. The JIRA admins were scratching their heads.
I think you misunderstand what's being described. The server didn't check it, it accepted the modified hidden field. The server should have rejected the request.
> I didn’t realize this data was being collected, but it seemed that we had agreed to the STARLINK enrollment when we purchased it.
This is mind blowing to me.. Number 1 why you need a car connected to the internet all the time ? And how you're not required to sign at least 10 forms to confirm you understand that ALL of your travel data will be recorded and distributed at will.
If Chinese companies comply with the ban by providing car models without internet connectivity, it's hilarious to me that that the nationalist regulation could make Chinese branded vehicles more desirable from a security & privacy standpoint.
In the short term. In the medium term it just means that when they finally do break in they will demolish the incumbent. This is exactly what happened with the US auto industry in the 80. Protecting an industry with tariffs and legislation often makes that industry lazy and slow to innovate and eventually just kills it because they have forgotten how to compete.
Europe doesn't have that high tariffs on them, neither does rest of the world. Chinese manufacturers will continue their global meteoric rise whether they are successful in US or not, its just 4% of population even if wealthy.
And if they actually do provide better cars (more secure and respecting privacy while massively cheaper), who am I to complain.
> Number 1 why you need a car connected to the internet all the time
To open the car with an app (programming against Bluetooth is harder than calling a web API), or honk the horn if you lost it in a large parking lot.
> And how you're not required to sign at least 10 forms to confirm you understand that ALL of your travel data will be recorded and distributed at will.
Legally speaking, I believe that depends on your local privacy laws. Practically speaking, car makers (and government agencies) love these features for troubleshooting and tech support, or for flagging crashes before any authorities or local press have time to arrive (think Tesla).
Don't ask them about finding your stolen car, though. Then the data may suddenly not be available.
> because you can does not mean you should (or actually need to)
Most people don’t need to drive. Out of their driving, most of it is superfluous.
Pretty much everyone in my town with remote start uses it. Particularly if it’s a day where temperatures are close to 0°F and you’re weighing another run.
This is one of those comments that just tells everyone reading that you don't think much outside whatever area you dwell. There are lots of people not anywhere near you that do need to drive. Not accepting not everyone is like you is just small minded, and makes the conversation not worth having
> lots of people not anywhere near you that do need to drive
I live in Wyoming. Most people around me do need to drive. I’m saying take most vehicle-miles travelled in private cars and you’ll find that most people—being in or near cities—don’t need to take most of their trips. (Most trips I take don’t need to be taken, certainly not by private cars,)
I’m also not the one arguing that they shouldn’t do things that are nice but not necessary: you are. I’m analogizing a lazy summer trip to the grocery store to pick up a forgotten ingredient (when a bike would do fine, or hell, borrowing from a neighbour) with remote start. It’s convenient, marginally costless and rewarding in its own little way.
My Subaru supports remote start if you pay for the upgraded Starlink plan but if you want to do it from the keyfob, you have to buy some module and carry around an extra keyfob solely dedicated to remote start. It's a little ridiculous. They could have easily just made remote start something where you click and hold a button or whatever like any other car with that feature on the fob.
I'm not sure which model you have, but I don't think that's true. I think instead it's that unless you pay for the remote start upgrade (which as you say includes the extra fob) you can't start your car using the normal keyfob. But if you have the upgrade, you can also use the keyfob if you are close enough. At least, that's how it works for our 2018 Outback.
I think I've only used the dedicated remote start fob a couple times to test it, but I use the keyfob for remote starting frequently. If you want to try, here are some 3rd party instructions for which buttons to press to make it work: https://www.wheelsjoint.com/how-to-remote-start-subaru-outba...
Thanks, I wasn't entirely sure how it worked. I kept seeing instructions online for which buttons to press to do a remote start from the keyfob but nothing mentioned the required add-ons to make it work. I ended up just paying for the Starlink subscription at least for the cold months. I was hoping my Ascent would do an all windows roll down from the fob like some other cars I've had in the past but looks like it doesn't support that either. I plan to have this car for a long time so I may just invest in the remote start package or a competing product just to have the air running prior to getting in. Black exterior and interior was our only option so I'm not excited about summer.
IMO it's a mixed bag. Being able to start the process from further away than your key fob is an improvement because it can get actually warm if you're walking to it rather than it just have a minute head start which at idle doesn't always get the engine warm enough to be nice and toasty.
For electric vehicles there's also benefits when charging because you can actually leave your vehicle and check if it's charged while you eat/shop/walk/etc to kill the time.
Then if you have kids that drive but don't have their own vehicle yet the location and speed tracking a lot of these apps provide is probably a big plus to them too. I'd certainly feel more comfortable with my kid using a car knowing I can find where they are and that they'll be a bit safer drivers since they can actually be caught speeding, I know I was reckless knowing there was basically no way for my parents to know.
None of this requires collection and storage of location long term but that's companies just following the profit motive of our entire system. It's shitty and bad they're allowed to do it but I'm hardly surprised that they do.
These things could certainly be convenient, de-icing while you're having breakfast etc but surely you don't need my location data recorded for those services ?
Maybe if there was a list of options I could select from then I guess it's fine.
I can't tell sometimes if people are trolling on HN or just young. Many so called great innovations I see are just stuff that was available decades ago but didn't involve ad tech predators.
You can tell this stuff isn't that interesting to people otherwise they'd upcharge you for it instead of using it as a pathetic piece of bait for a trap.
I'd only really heard of it as an aftermarket feature you had to mod onto the vehicle not as a base part of a package. At least not in the low market range you can get that feature now. Used EVs less than 30k come with that feature now.
Just as an aside - a friend had their car nicked in NYC this winter. He was able to tell the cops the car location from some Toyota find my car type thing. The cops said they saw nothing on the street so unless he could come and make the horn beep infront of a garage - and then get a warrant - there was nothing more to do.
a friend had their car nicked in NYC this winter. He was able to tell the cops the car location from some Toyota find my car type thing. The cops said they saw nothing on the street so unless he could come and make the horn beep infront of a garage - and then get a warrant - there was nothing more to do.
Here's the way it's done with Volvos (from the manual):
If the vehicle has been stolen or otherwise used without permission, the vehicle's owner, police and Volvo Assistance can agree to track the vehicle.
Note
This applies even if the vehicle has been opened and stolen using the associated remote key.
The following needs to be done:
1. Contact Volvo Assistance and say that you need help tracking the vehicle. Tracking begins.
2. File a police report.
3. Contact Volvo Assistance again and give them the police case number.
4. Volvo Assistance notifies the police of the vehicle's location.
If I'm a sensible person running a police department, with full knowledge of the here-described bugs and hazards as well as the deep experience all police get in the general "people being jerks" spectrum, it's gonna take a lot more than someone on the phone saying "my car manufacturer's app says the car is in there" to bust down the doors of some random place.
I'm starting to come around to the idea in general actually with all the comments promoting the benefits. I still don't see why travel locations need to be recorded though. A pining service would suffice if it was always connected.
The cops could only act if the car was on the street without getting a warrant first and they would not even consider that unless he went to the area in question and made the car do something distinctive enough.
We all know that even if the cops would file for the warrant, it would not happen quickly and the car would be chopped and gone long before.
So basically, yes this was a useless feature. Perhaps if it happened in a small town/remote area the outcome might have been different. Major city? I doubt the result would be much different than NYC.
In the US a bill was passed requiring driver impairment equipment on all vehicles and automatic deactivation of the vehicle if the driver is determined to be impaired. Current impairment technology monitors head and eye movement and/or blood or breath.
> All cars in Europe must be connected to the internet at all times by law, to determine their location
The source you link very explicitly contradicts that:
> Your eCall system is only activated if your vehicle is involved in a serious accident. The rest of the time the system remains inactive. This means that when you are simply driving your vehicle, no tracking (registering your car's position or monitoring your driving) or transmission of data takes place.
I'll try to dig up the criteria someday, if they're written down, but I imagine that "anything that triggered airbag inflation" is a good approximation.
> All cars in Europe must be connected to the internet at all times by law, to determine their location, in case of an accident the law states.
It isn't connected to 'the internet' either, its an emergency call activation service. IE you can actuvate it to call 112 (Emergency services) when needed without a charge, infact it uses a SIM card to do so.
Infact on your link it doesn't mention 'online' or 'internet' anywhere/
In general, a lot of things in cars are for the law rather than the owner. I'm not saying it's a bad thing, just is what it is. Emissions is the biggest one.
Neither does climate control. If I remote start my Civic with its fob, it will heat or cool to the desired temperature I left it on. (And it will run the defroster if it's below a certain temperature outside.)
Having to think about the climate control is an anti-feature in itself, when that's a basic thermostat feature...
I used to commute into the city by express bus. Drive to Metro Transit Park-n-Ride lot, park the car and get on the bus.
On the way back a lot of people would start their cars (via app) when about 5 minutes away from the lot. That translates to about 4-5 miles at freeway speed.
Alternately, at the office, some people parked at a lot that was about a mile away and it's nice to be able to start your car when it's 95F or -15F so it's comfortable when you get there.
All I see is a waste of gasoline. Back when I was living in a cold country and drove a car early in the morning I would just use gloves, keep my jacket and heat my seat with a fart. ;-)
Umm… maybe not a mile, but if you’re walking ten minutes in ice/snow (maybe a quarter mile), it is VERY nice to have it warm when you get there. I’m surprised this is surprising.
I mean the ability to control the car remotely without line of sight or being anywhere near it, such as turning on the climate to warm up the car while still in a building so it's not freezing cold when we get back to the car with the kids, or while the car is in the garage, locking the car remotely because you're blocks away and aren't 100% sure you locked it before you left, opening the windows slightly so the car doesn't overheat in hot weather (Subaru doesn't do this unfortunately, but the Tesla does). The one thing it doesn't do which I wish it did, is roll up the windows remotely.
I have a 2013 Outback Limited that is basically right before all this stuff got really stupid and weird. It's a great car other than it's not very fast and it gets really bad gas mileage. Amazing in the snow. I have had it since December 2012, so I've had plenty of service visits where I got newer loaners. (I special ordered my car to basically load it but not have Starlink, not have the Sunroof, but have the leather seats and the HK upgraded stereo.)
Every time I have gotten a newer Subaru as a loaner it strikes me that they are worse cars for all this new stuff. The user interface is horrible in the new ones. In a lot of cases they have a skeumorphic interface up on the touch screen that mimics the physical controls in my car! The actual physical controls are about 100x faster to operate and you quickly learn where the buttons are without looking.
I had an Ascent Onyx loaner last summer.. the entire touch screen UI looked like it was barely operating above 10fps. Just gross. Lots of the UI is black and white as well, not even tasteful grayscale. The Onyx I had also had the upgraded HK stereo and that is not as good as the one in my car as well, it sounded noticeably worse.
The electric steering on the new Subarus is terrible as well. My old Outback is not exactly a sports car but getting out of new one back into mine it feels like you're getting into a Porsche or something when you feel the hydraulic steering. Engine/Turbo lag on a lot of the new ones is gross as well.
This is of course even worse! My car only has 120k miles on it, I plan to keep it for another 4 years and then maybe give it to my kid when he gets his license. Somehow I doubt Subaru will have a competitive vehicle by then. For me to consider another one they'd really need to have an EV Outback/Forester/Ascent or a Hybrid version that gets at least 40mpg. And they need to fix all this horrible infotainment stuff in a way that the car operates better than a kids toy and actually drives well like an older Subaru. Also they need to get off the whole stupid thing with giant rims. It's supposed to be a Subaru, it needs to have tires appropriate to going relatively fast on dirt roads.
I have been stranded twice because of Subaru firmware bugs which they knew about and failed to notify me. First one was the battery charging bug(which still happens even with the firmware fix, just more slowly). The second was the fuel gauge bug. This is a 2017 Outback, my second and last Subaru I'll ever own.
Regarding Starlink, there's actually a battery drain issue on older systems because the 3G modem fails to find a base station (because 3G is deprecated) and drains your battery doing retries. You can remove the Starlink module, but since the Bluetooth microphone and front speakers are routed through it, you'll lose that functionality unless you spend $80 for a dongle to restore them.
We actually own two Outbacks, a 2011 and a 2019. Both my wife and I hate the touchscreen system in the 2019, it is full of irritating bugs and even the physical climate controls (which IIRC were going away for the 2020 model year) have horrible indicators of their status compared to the older one.
I'd say the backup camera is a welcome addition for the newer one but if the roads are even remotely dirty the camera almost immediately becomes totally obscured rendering it useless, which around here occurs at least half the year.
Combined with the battery drain issue I will probably not buy another one. At the most I'll give them a test drive to see if the control system has been returned to some semblance of sanity. Unfortunately all new cars seem to be privacy nightmares so I'm not sure how I'll avoid that.
The 2024/2025 Ascent is what I had as a loaner that had the skeumorphic UI on the screen that looked exactly like an older Subaru's physical climate control layout.
In addition to your comments, I think Subaru's all-wheel drive system has been switched to electrical instead of mechanical, making it worse. There are roller tests on youtube which show Subaru AWD being outperformed by Ford AWD systems.
They have different AWD systems in different vehicles and for some vehicles there is more than one system depending on which transmission you purchased. (At least when there was a choice)
Mine is electrically controlled (and many Subarus are) but it's still connected full time. IME driving other electrically controlled non-full time systems what you feel in those are the electrically controlled clutch packs completely disconnect the rear wheels and the AWD is 100% disabled until the traction control system kicks in. Then you get a brief moment where the car feels out of control until the clutch activates the AWD. The tradeoff is that system that completely disconnects the rear wheels results in those vehicles (E.x. Honda/Toyota) getting much better fuel economy than Subarus as they operate as front-wheel drive almost all the time.
I have never been in any Subaru that behaved that way. And a roller test is not where it matters anyway. Roller tests are contrived. Where you feel the difference between permanent AWD and part-time AWD is medium and high speed situations where the vehicle starts to lose control. Most people will never put any family crossover/SUV into a situation anywhere close to the roller tests or hill ascent tests.
All of this seems to become completely meaningless with EVs being the future.
The CVT in combination with the terrible traction control also kills any chance you have of getting out of a stuck situation. Subaru's AWD system is now mostly just marketing. So it's basically on part with most AWD systems, because most of them really are a joke.
I'm curious which exact model/year you had and how you got stuck.
I've never even gotten anywhere near close to getting stuck in 12 years.
But I'm not a Subaru offroad enthusiast. It seems like lots of people really want to use a Subaru for situations where they should have gotten a mountain bike, dirt bike, ATV, etc..
I know this is a Subaru hate thread on a site that knows basically nothing about cars so I’m spitting into the wind here, but this is just untrue. I’ve had 3 Subarus over a 20 year period of time, driven the hell out of all of them in snow and dirt, worked on and modified all of them, and the traction control system on my most recent one is categorically, objectively better than either of the prior two. It makes about 100 more horsepower than the earliest one and still gets better fuel economy, at least in part because of the CVT, despite weighing probably 600 pounds more. The CVT works perfectly fine for anything that isn’t doing the Rubicon trail.
The AWD is one of the few remaining permanently fully engaged systems, unlike basically every other manufacturer.
You can hate on Subarus for the stuff they’re actually bad at (fuel economy, infotainment, wind noise, head gaskets in the EJ series engines) without having to make stuff up.
I have a 2014 forester. First time it snowed I slid off my driveway and one tire was off the ground. Had to get towed by a friend because that one wheel kept spinning. I thought the brakes were supposed to stop that automatically. Didn’t happen. Second time I tried to drove through a small patch of snow I lost all traction and had to dig out all the wheels and rock it. It was 2” of melting snow over a 50 foot by 10 foot patch. Any ideas why? I’ve just avoided driving in the snow for over a decade. I really don’t see the hype vs my reality.
Sounds like a wrong tire problem, not an AWD problem to me.
My parents also had a 2014 Forrestor. They parked it next to my shed when they went on a cruise one winter, and it crawled itself out of a 2 foot snowbank without shovelling it when they got back. That thing was a tank in snow and I definitely abused it when I had the chance.
For the 'tire spinning in the air', sounds like the other tires must have been spinning too so there wasn't anywhere to transfer the power to, but I'm only guessing.
Nope just one wheel. Factory tires. I like everyone telling me it’s my fault for not having the right tires. Lol. Like the claims Subaru makes are only valid if I spend a grand on tires for my new car. If you have to tie yourself in knots to justify marketing you can fuck right off.
This applies to literally every car ever made, and doubly so to those that have open differentials. Every single car manufacturer on earth provides cheap tires from the factory to keep the sticker price down. You can either get mad or you can learn something. Good luck to you.
I second the sibling comment saying that this is likely a tire issue more than anything. If you're sliding down a snowy driveway or hill, no AWD/4WD in the world will save you from that, that's purely a mechanical grip issue, i.e., tires. Literally everything having to do with grip (getting unstuck, braking, handling, stopping) depends on tires.
I'd recommend something like a Michelin CrossClimate or (depending on whether you're going to go on dirt/mud/trails) something like a Yokohama Geolandar G015. Going with something that is 3-peak Mountain Snowflake rated will help in the cold and snow.
Failing that, if you're going to run a more economy/highway-focused tire, just make sure to replace them before they get too worn. Most tires' winter performance falls off a cliff when they're old.
I don't know if the 2014 models have the X-mode system, but if they do, you'll want to enable it when driving on anything snow/dirt/gravel/sand, it will make the traction control brake vectoring power transfer more aggressive.
I have a CVT in my 2017 H6 Outback and the traction control is very easy to turn off. Two buttons and both the traction and spin control is off and now it is just AWD with a limited slip differential in the back (feels pretty similar to my 2006 Outback H6 which had no electronic traction control). You can wheelspin all day if you want or feather the throttle or whatever - offroad driving has been amazing
" It's a great car other than it's not very fast and it gets really bad gas mileage."
My 2013 Outback Limited with rally package (wheel paddle shifters etc) gets 32 on the highway with my driving habits and almost 28 offroading. That's with larger tires and a disconnected swaybar for better articulation, everything else is stock. CVTs don't respond well to lead-footing.
It actually does when you're off-road. If you can keep all tires in contact with the ground you aren't wasting fuel spinning one that isn't in contact with the ground (I keep the traction control off when offroading to avoid the system engaging its brake-based power delivery since it isn't an actual 4x4.)
The difference has been absolutely measurable, with a ~15% increase in fuel efficiency in very hilly or rutted terrain.
fwiw I have done this and received no confirmation or anything after more than 6 months. I keep submitting, maybe its working, but it doesnt seem to actually result in a confirmable change.
for sure my retailer, which are 3rd parties according to that page, still has 100% access to the data, as they were able to tell my car was in another state when I called recently. seems pretty troubling
That's not how lawsuits work. You can't sue just because you don't like something. You have to prove harm. "not getting confirmation" hardly counts, especially if said confirmation isn't required by law.
I wish that keeping this much data was a liability. I want companies to be liable for damages in the millions of dollars if they share an entire year's worth of location data without express permission from the vehicle owner. HIPAA for "just" PII.
The most charitable guess I can make is that they use it to improve their driver assist, lane keeping, pacing, and that sort of thing.
location and g force and direction when the automated system shuts off and returns control to the driver, that sort of thing. I don't agree with it, but that would be my guess.
I own a Subaru that does this, so I'm not happy about it, but what can I do?
That stuff is probably more valuable than many of us want to admit. There is the maybe more noble value: training data for maps, traffic analysis AI, engineering duty cycle data, things like that. Then there are the other uses, for example various surveys and studies are needed for new roads or signal changes, can this kind of data proxy for that? We would be talking about cutting millions of dollars out of some of these projects and months or even years off a timeline. Then the ad-tech, where do you put billboards and signage? Where do you build a shop? Probably other uses we aren’t even thinking about.
The same thing all car manufacturers are after... AI. And I'm not joking this time.
Cars have become a commodity, especially since China made their first vehicles that didn't get outright banned in Europe for being too unsafe to be roadworthy, and even some nominally "entry level" cars have more horsepower under the hood than a 1990s 7-series BMW (138 kW). Strict requirements on emissions, fuel consumption and crash safety have all but eliminated differences in optics (the amount of shapes is finite). So the only thing left to differentiate other than build quality (where China is rapidly catching up) is assistance systems... and there, AI is the hot craze, and AI only works when it has insane amounts of data to gobble up.
> I want companies to be liable for damages in the millions of dollars if they share an entire year's worth of location data without express permission from the vehicle owner.
Moreover, not just millions of dollars in aggregate, but millions of dollars per individual customer whose privacy was violated.
If I collected this much information about a single individual, I would go to jail for stalking. But with the wonders of technology, I can stalk "at scale"!
The best case scenario for the next 5-10 years is that there will be no new federal privacy regulations. More likely, privacy regulations will be even further relaxed and customers will have even less recourse for violations.
You might have some luck pursuing this at the state level if you're lucky enough to live in a handful of states such as California or Minnesota.
As a DevSecOps/SRE whatever, I just gotta give props to the Subaru team for getting it patched within 24 hours. While it's just a small internal admin dashboard without real customer usage, the fact they acknowledged and fixed the issue so quickly speaks well of at least that part of Subaru IT.
Question, if you can remote start a subaru with starlink, does that mean I could start my car from the command line during winter??? I don't pay for starlink, never really looked into it, but it sounds cheaper than installing a remote start system lol.
Having developed back end portals like this one for much smaller companies I find it hard to believe that there is an open endpoint to reset a password without any type of verification. What goes wrong in development that this type of crap makes it to production?
Probably QA is only going to make sure the features work. They aren't pen-testers. At best, they might try some unexpected inputs that trigger a security vuln.
I joined a startup with a product in production for a dozen or so major customers (US universities), public facing, with a slick new front and backend the team had been working hard on. I brought along a young engineer friend who had a pet interest in pentesting, so his first task before getting up speed as a dev was a security review.
He and I sat down on day one to poke around, mainly to get oriented, not expecting much l. Popped up Chrome's devtool network panel, refreshed the login page.
One of the first XHR rows was to an endpoint named “getKeys”
The return object was the root keys for the AWS prod account.
This crap is incredibly common. Maybe not that egregious, but close enough.
> Note for customers retaining OEM headunit: This adapter can also be used for those wishing to remove/disable the OEM Subaru Telematics functions. This is done to eliminate the tracking cabability that Subaru has built into these vehicles. If this is you, we will need to add an additional part to this adapter to re-enable the bluetooth microphone. Please purchase the option 2 adapter near the bottom of this page for this situation.
We bought a second-hand 2021 Highlander and thus did not sign any contract allowing our family to be tracked by Toyota. I went on a hunt recently for information on neutering the DCM but have thus far only found speculation and contradictory info.
Yeah it's bad out there. Don't do what the yahoos hacking up their harnesses have done. The Toyota DCM I'm familiar with has 3 coax antenna lines coming in. The outer 2 are cell and the inner is GPS. Pull the cell antenna cables out of the DCM and you should be good to go. Best to hunt down your vehicle's service manual and verify the procedure first.
Right, especially considering the Subaru Starlink service has apparently existed since 2014 or so[0], I have to wonder how long these vulnerabilities have been present.
I don't think that's correct. See the section in the article "Enumerating Employee Emails" which finishes "The jdoe@subaru.com (redacted) email was valid! We went back to the reset password endpoint and hit send."
Previous Subie owner here (03 WRX, 04 Impreza, 03 Outback). I've been looking for an older one (2004-2013) for the last 6 months. The amount of people that don't know or don't disclose leaking differentials, leaking transmissions, and head-gasket issues (despite claiming they've been "fixed") is staggering.
With one car I inspected, me and two other buyers came to see it at the same time; I think the seller orchestrated that intentionally. Well too bad for him, I inspected underneath and it was a leaking mess from every section. To which I quickly pointed out to the other buyers. We all walked away lol.
Of course you can have these issues with newer models also, but they're so prevalent with the older ones.
Imagine that manufacturer can do that without any hacks and your knowledge about data collecting. Now imagine that you sell those cars to foreign countries that your government consider as enemy. I'm curious when there will be some ban of car brand, like TikTok.
I can't speak for Subaru, but I did this on my Toyota last weekend (cell radio, not space radio). The fuse pull on Toyota DCM affected other systems (GPS, microphone). I got a hold of the service manual, identified the cell antenna cables, and simply unplugged them. Now "simply unplugging them" required ripping apart quite a few things and dealing with some annoyingly deep bolts, but it wasn't too terrible.
Pulling the antenna cable is the right move.
Fun fact on car GPS: it actually feeds back through carplay so your navigation gets worse without it. What I have yet to figure out is if the network connection is given to the car through carplay.
This is absolutely my biggest concern for when I inevitably am forced to replace our aging vehicles. The unfortunate reality of living in the Northeast is that it's near impossible to find decent (not rusted) older cars for sale. Sure, I'm within the 99.9999% of Americans who have nothing to hide, but that unequivocally does not justify the physical capability of remote monitoring or control.
Why not just take a weekend to fly to where used cars are unrusted, and drive one back?
Also, there are quite a few well made older cars that are fully galvanized and don’t rust. I know a few people in the Northeast still driving 1980s Volvo 740s, still unrusted after nearly 40 years of salty roads. 1987 and later had the best rustproofing. I believe many older Audis also are galvanized.
The best galvanization was in the 80s when the OEMs were scrambling in the "surprise, lead just got banned" era (lead acts like an anode, think of it like a lesser version of a high zinc primer).
That said, it's not the thick hot dip you see on I beams or on bolts at the hardware store and a modern car with modern coatings and attention to corrosion is still better.
Of the three continents that produce a lot of cars the Europeans still take corrosion more seriously than anyone else.
Since Volvo was mentioned in the parent comment, did you know that if you buy a new Volvo you can get two free plane tickets to Gothenburg + one night's hotel stay to go pick it up at the Volvo factory? You can drive it around Europe for a while and then they will ship it back to the US for you. AFAIK it doesn't cost extra, it just adds some lead time as well as time waiting for your car to get to you after you fly home: https://www.volvocars.com/us/l/osd-tourist/
Our family did nearly exactly this when I was a child in the 80s, just subbing in Volkswagen and Dusseldorf IIRC. It was some months later when the car actually arrived on the west coast of the US, but my parents seemed to think it worthwhile.
Just as a warning- one needs to be willing to dish out the cash for one of these high end 80s European cars: they can sometimes cost hundreds of dollars. Really nice examples can cost more than their value by weight as scrap steel. And, although most are still going strong, it's possible some only have another 30-40 years of usable life left before needing major repairs, possibly even sooner if they have over a million miles already. A good running used engine or transmission for one can easily cost over $100- so one should also budget for that down the road as well.
I just didn't want to get anyones hopes up on here, thinking they could easily afford one on a software engineer salary.
Yes exactly. Facebook, Craigslist (yes people still use it) allows searching in any area. Ideally if you have a willing friend living in a salt-free state, search for cars for sale in that area and have your friend take it for an inspection. If it seems good, fly in, buy it, drive home. Rust-free is a given so there's not really a premium to pay for it, unlike buying cars in the northern states.
Would you be willing to share the details of this either publicly or privately? (My email is in my profile.) I'm trying to do the exact same thing on my 2021 Highlander and have not been able to find any info. I found threads where people have asked how to do this on forums and reddit, but the responses are ALL along the lines of, "first, get a sheet of tinfoil, then shape it into a hat..." etc etc.
Does it actually never connect with the antenna disconnected? Most wireless receiving devices I’ve used will generally still work a bit with no antenna.
The screen shows a no signal symbol. I seriously doubt that a cell protocol could lock with just an exposed coax. The truly paranoid could stuff a piece of foil in the coax connector to short it to ground.
It might be better to attach a dummy load to replace the antenna so you don't burn out the radio circuit which may have side effects (depending on their design). You could wrap that in foil to ensure it can't get a weak signal through.
It depends on the car, but yes, you can pull a fuse. The component is called the DCM. If you do that though, you'll lose the front speakers and the microphone, which are routed through the DCM to support STARLINK-based cellular calls (like OnStar). The better solution is to disassemble the dash and replace the DCM with a bypass box, or yoink the cellular antenna cables as others have said. That's a bit of work for sure. I was lucky to have it done by Subaru under warranty service, in response to the 3G cell shutdown causing the DCM to malfunction and drain the battery.
“SOA does not collect any vehicle-generated data unless the vehicle is associated with an active STARLINK subscription service. To sign up for the STARLINK service, you must have a MySubaru account.”
Luckily, in right to repair states, Such as Massachusetts, Subaru chose to disable Starlink altogether instead of making Support documentation available under the law.
I live in the city so I've never owned a car, but would like to get one at some point. I'd want at least a plug-in hybrid, if not full electric, and absolutely no internet connectivity or tracking (or at least something that can be physically removed).
Is there even a single (new) car that fits this criteria?
A shocking thing about Subaru cars with Starlink (their infotainment system and connected service for things like remote start) is how deep the violation of privacy is. For example they share your location data with Sirius XM by default, unless you go deep in their menus to realize it’s even happening and opt out. They bury the consent in fine print that you fly through at the dealership. Truly a despicable company.
all car companies do this since around 2011.(in the us) they also immediately sell all this data to car insurance companies.
many apps on your phone that use location data for anything are mostly using an APK that includes a couple car insurance companies code that also just directly shares that with them. (they made the location APK for app makers to have an easy to use location data tool)
I love the variety of tooling and joining the dots to complete this attack: dns + scanning + human factors research + html bypass on the admin site itself...
tfw your car is also an always-online computer running proprietary software you have no control over ... and that software is written by people who think you can block login with a modal overlay, and who make a public-facing API call that resets a password with nothing more than the account's email address...
Slightly off topic: How are recent Mazda's in regard to all of this stuff? They were not included in that Mozilla privacy expose and I have a CX on my short list for this spring.
They are above greed so they don't do that unlike literally everybody else pinky promise.... Do people seriously believe any tech corporations is above surveillance capitalism.
Would the remote 'stop' stop a moving car? It's scary to think that someone could have easily used this basic exploit to stop all the affected vehicles on the road.
There are a striking number of stories in this thread of incompetence and unethical behavior on the part of Subaru, and it makes me sad that the company has turned into such a wreck. Maybe they were always run this way but older technology didn't allow them to be quite so scummy.
I bought a Subaru in the aughts that I absolutely loved and had assumed my next car would be from the same company. But when I test drove and looked into a new model I was shocked at how many terrible changes had been made, and I didn't even uncover half of what is in this thread.
I'm not holding my breath, but hopefully the bad press affects sales enough to make the people running this company care and alter their behavior. The mechanical cars themselves are still nice to drive, but the terrible interfaces, obscene amount of spying, and intrusively unethical behavior really kill the experience.
IMO Subaru has been one of the most overrated car brands for decades.
Sure, these data privacy issues are rampant across the automotive industry. It really isn’t just Subaru.
But really what I’m talking about is the entire product. I have no idea why people like them so much:
- Some of the worst exterior styling of any brand
- Cheap interiors that are so ugly
- Their history is riddled with major powertrain issues especially for how well-regarded they are
- Historically horrific gas mileage compared to competitors as a tradeoff for symmetrical all-wheel-drive that realistically very few of their buyers need.
- Their gas mileage isn’t bad anymore but they haven’t even released any hybrids yet, meanwhile every competitor under the sun has hybrids all over the place
- Their current infotainment system is god awful with horrendous graphics and the climate controls are stuck inside it
I think the only positive thing I can say about the brand is the they’re the last company selling a non-euro-luxury station wagon in the US, but really it’s basically a similar stance as a typical crossover SUV so you might as well buy one of those (or just get yourself a used E Class wagon and end up with a much better car).
Good god. This is why I will continue to repair my older car until it's completely infeasible to do so. Then what? Are there internet communities out there actively working on disabling all this nonsense? Can't imagine buying a car like this without knowing I can physically disable the cell modem.
> After reporting the vulnerability, the affected system was patched within 24 hours and never exploited maliciously.
So 'only' Subaru, Starlink, their business and advertising partners, and law enforcement, can remotely track (and disable - don't think you can run from the law!) your car?
> I didn’t realize this data was being collected, but it seemed that we had agreed to the STARLINK enrollment when we purchased it.
Assuming it's possible to not agree to it - does that completely disable the system, or is everyone with a Subaru just one warrant away from getting locked in their car until the police can come to arrest them? Does the car still store (I'm charitably assuming it doesn't transmit) location data, so all your friends can retroactively be identified and arrested as well, even if you never agreed to any tracking?
(To get ahead of the usual retort - haha yes, phones also track this data, therefore let's not fix any problems unless we can fix all of them at the same time. But actually let's use the other problems as an excuse to do nothing.)
Any partner that pays enough $$$ can likely do whatever they want. That is obvious by the fact that a year of driving history is displayed. If they didn't want to sell the data/access then they wouldn't be collecting such a long history of it. This is evil. I will avoid being forced to give this information at every possible turn and the companies doing this, and hiding how much they collect, should all be shut down.
That's absurd. Collecting and selling your data and allowing a third party to remotely lock your car are two very different things. I have no doubt car companies sell your data, I am extremely skeptical third parties can buy rights to control your car and if that ever happened, we'd all hear about it really fast.
Do you honestly think that they have a limit to what they will sell? I could easily imagine them selling this access to companies that repossess vehicles. An 'ownership dispute' fee that prevents your car from starting and grants additional access to the company. As soon as I typed that I couldn't stop thinking that that has to be a real thing they make real money on already. If it isn't then my guess it is only because they haven't thought about it. Companies will do anything they are explicitly allowed to do or have plausible deniability on to make money.
Yes, I think if they sold that it would have happened by now and you'd have heard about it. Law of big news applies. Also a quick Google would tell you Ford tried to patent this in 2023 and people were outraged over the idea so they dropped it. So I doubt some other car company is doing it and secretly getting away with it.
I was lucky to have the DCM in my 2019 Outback (which is responsible for cellular communication and thus this whole STARLINK thing) replaced with a bypass box under the warranty program related to the end of 3G service. My car was trying to go online 30 times an hour or something like that, draining the battery enough that it needed to be replaced after just 4 years. They don't have enough new DCMs so they were willing to replace it with a bypass box instead, which seems even better to me.
So at least my Subaru cannot connect to the cloud anymore. I'm sure it still stores location and telemetry data for insurance fraud reasons though.
You’d be surprised - a lot of younger dudes in particular appreciate things like this, as well as certain types of exhaust modifications and the like ;)
I had a similar issue when I connected my electricity provider to my Kia EV6. Presumably it would turn on charging when the price was optimal, but they were pinging it for status so often that the car never went to sleep, and it drained the 12V. Funny enough, the dealership couldn't figure it out; I "fixed" it by changing my Kia credentials.
FWIW i never replaced the 3g box in my 2018 subaru, and never have a battery drain issue. the battery did fail about 4 years in to owning the car, but it was a cell failure not a drain issue.
My Subaru, a 2018 outback, would be completely battery dead if I left it parked for more than a week or so. Happened once at the airport, after which I started carrying a battery pack car starter. The guy at the airport who have us a jump said it happened all the time with Subarus in long term parking.
My local mechanic said that there is a firmware update that supposedly fixes the radio drain last time I replaced the battery but I haven't looked into it. He primarily works on Subarus and it sounded like he'd seen that as a root cause of dead battery a lot.
Is that firmware update also just replacing the 3G SIM though with a 4G one? In that case it will just fix the issue of it not being able to contact the cloud servers.
Also makes me wonder - what if someone has a subaru and lives out in a very remote area where there is no 3G or 4G service? Would that not have the same issue as the cell towers being deprecated for 3G? Seems like (specifically for Subaru owners) this might be a more common type of living situation than other car owners too!
My 2017 hasnt had the battery issue yet (they said only some subarus are supposedly affected). How did you verify how often it was trying to go online?
Now very curios in this bypass box as well - I heard just manually removing the 3G SIM (supposedly easy) can also maybe cause battery issues. If the "bypass box" alleviates all potential use of the system that is ideal long term!
Hmm really? My Camry made it nearly 10 years, and my Civic still had a good battery 6 years in when I sold it.
Regardless, the battery and DCM were both tested by Subaru. The battery tested bad, and the DCM tested for a high parasitic draw. I drove the car daily, and the battery would die if I didn't drive it for 4 days. I didn't just make this up either, search "DCM parasitic draw" on Google for more. Subaru even sent me a letter outlining my options for repairs.
Lots of places will say an average car battery's life is somewhere around 3-5 years. It is highly dependent on weather. Here where there are regularly long spans of 100F+ days, a battery will have done pretty good to make it five years; many die in 3-4. Same in very cold climates. If you're in a place with good weather all the time they'll last considerably longer.
I've heard about this being a known issue with cars from other manufacturers, so I can believe it. It's interesting that nobody thought to include a way to let the vehicle know it should stop trying to communicate to handle a potential end-of-service situation like this. It's fairly common for people to keep cars for more than a decade, they're a really expensive necessity for many.
That's a known issue. Reports all over the subaru forums.
I tried to measure it myself with my little multimeter and now I don't have a working multimeter.
One suggestion I tried that seemed to work was to not keep the key close to the car, since that'd not physically possible for me I wrap it in an ESD bag. Haven't had much issue since, but no promises.
Eh, I think 6 years is kind of average. My previous one lasted 10-11 years. My current one is 8. I had two others that were 4-5 years and still going strong. This was in a location that gets reasonably hot in the summer and reasonably cold in winter. If it's only lasting you 3-4 years, then it's a shitty brand, the battery was abused, or it wasn't maintained.
No, disagreeing does not completely disable anything, as you can call Subaru at any time and tell them that you want to subscribe, and they can enable Starlink remotely.
I do not know exactly what is transmitted or stored when you do not have an active subscription, but you are one warrant away from having the police ordering Subaru to track your car. But they would probably try this with your cell provider before they try your car manufacturer.
My new car came with something called "Google Built-In," which seems to be the bastard sibling of Google Car Play.
During the set up, if you'd like to read the privacy policy, you must scan a QR code on your phone, which opens a web page that does not display on mobile devices.
If you'd like to opt-out of anything, you have to create a Google account, then log the car into that Google account, then log into that Google account on your phone, then go hunting for the settings on both the car and in the Google account online. Good luck finding them all.
Also, it is not possible to uninstall certain "essential" Google apps from the car. Apparently, YouTube is now an "essential" part of driving.
Only the EX90 it seems is made in SC, possibly just assembled from parts made in China. All other electric Volvos (including Polestar) are straight from China. Gas models and hybrids are still built in Europe but are being phased out.
Cars don't use modern chips ... They use reliable chips that are built to withstand being in a car for years on end ... They also don't need to be as small as possible so older processes will suffice
You’re going beyond the capabilities demonstrated for us here. Whether or not those types of abilities could be built if they wanted to, here is what the author demonstrated:
- ez employee account takeover
- as the admin panel employee you can look up the customer’s billing account info and location history, make any changes to the customer account that a customer service employee can
- you can also add an arbitrary account as an authorized user for any customer
- so you can now log into the regular “Subaru owner” mobile app as that account and that’s how the car-impacting parts of this vulnerability were actually performed.
That means you can activate key fob type commands and see the tracking information available through that app.
The reason I point this out is that you said “remotely disable” and “lock you in your car” - and those are both things such an app can’t do. There’s no “disable car” button in those apps.
If it’s anything like my GM car, it takes like 30 seconds for the car to act on each command you send. So you could lock someone out but if they have a key it’ll be easy for them to unlock it before you can re-lock it. And if it’s in motion you can’t stop it from the app. And finally cars don’t support locking in. They are all designed with handles that will open mechanically with either one or two pulls. Worst it can do to stop you is sound your alarm.
> Subaru may collect the following personal information about a consumer:
> Categories of personal information:
> Identifiers: Consumer records, Commercial information, Internet or Other Electronic Network Activity, Audio recordings, Vehicle geolocation, Professional or employee-related information, Inferences, Sensitive personal information
> Categories of sources from which the personal information is collected: Retailers, i.e. authorized Subaru dealerships , Provided by consumer or vehicle, Third parties
> Business or commercial purpose for which Subaru collects or sells personal information: To provide services to the consumer, To market goods and services to consumers, To provide marketing by third parties for third party goods and/or services, To comply with legal obligation
> Categories of third parties with whom the personal information is shared: Business service providers, Contractors, Retailers, Corporate parent and affiliates, Third party providers of goods and/or services, Entities required to comply with the law
> Categories of personal information sold: Identifiers for third party marketing of goods or services., Consumer records for third party marketing of goods or services
> Categories of personal information disclosed for business purpose: Identifiers are disclosed to service providers, contractors, and third parties., Consumer records are disclosed to service providers, contractors, and third parties., Commercial information is disclosed to service providers, contractors, and third parties., Internet or other electronic information is disclosed to service providers, contractors, and third parties., Vehicle geolocation is disclosed to service providers., Inferences are disclosed to service providers and contractors., Sensitive personal information is disclosed to service providers and contractors.