On 25 january 2025, sbaru was exposed to a serious security loophole, which, although repaired, still exposes major current car privacy protection concerns. According to engadget, security researchers sam curry and shubham shah found that there was a security risk to the sbaru staff web portal, through which hackers could remotely control vehicles and view location data. Researchers warned that sbaru was not the only company with vehicle data security problems and that other brands might face similar loopholes. Following the discovery of the loopholes, sbaru was quickly repaired. According to the researchers, no hackers had taken advantage of the loophole before it was repaired. However, the researchers note that authorized staff in sbaru are still able to access information about the location of the owner through simple information. The loophole appears in sbaru called "starl"Ink's service. By finding the e-mail address of sbaru's employees on the british side, the researchers had bypassed two security issues by resetting the password and bypassing the dual identification. While they tracked data on the location of vehicles tested for one year, it was not possible to confirm whether staff could trace to earlier data. In addition, the administrator portal allows researchers remote control of vehicles, including start-ups, stops, locks and unlocks. However, curry's mother did not receive any notice of unlocking. Researchers also have access to sensitive information about the owner, such as emergency contacts, credit card information and vehicle pin codes. The spokesperson for sbaru stated that the loophole had been repaired and stressed that there had been no unauthorized data access. The company also noted that only partially authorized staff could access the owner's location information. For their part, researchers indicate that similar loopholes are prevalent in multiple car brands, exposing serious gaps in data security and privacy protection in the automobile industry。
