Wyomingites love their Subarus. Whether you’re tackling a snowy mountain pass, cruising the plains, or loading up the skis for a weekend adventure, a trusty Subaru is practically a badge of honor around here. But what if I told you that the biggest off-road hazard for your Outback isn’t a pothole—it’s a cybersecurity pothole big enough to swallow your data whole?

Recently, security researcher Sam Curry uncovered a doozy of a vulnerability in Subaru’s Starlink connected vehicle service. You know, the system that lets you remote-start your car, locate it in a crowded parking lot, or even call for roadside assistance. Turns out, it also had an unintentional feature: a giant back door into customer accounts in the U.S., Canada, and Japan. Oops.

Curry reported the problem to Subaru and it was corrected within 24 hours without a data breach, maintaining the Subaru Equals Love tagline for those of us in cybersecurity.

But, How Bad Was It?

Pretty bad. Curry and fellow researcher Shubham Shah discovered that Subaru’s administrator portal—the one that should have been accessible only to employees—had the equivalent of a “Come on in, make yourself at home!” sign on it. By poking around a subdomain (subarucs.com), they found JavaScript files that revealed a security nightmare: any employee’s password could be reset without a confirmation token. That’s like being able to change the locks on someone’s house without needing a key.

It gets worse. Once inside the admin panel, they found they could modify total access to vehicles;  no owner verification, no alerts, just the digital equivalent of handing over the keys to a stranger. This meant bad actors could have potentially unlocked doors, started engines, and taken off with someone’s beloved Forester without so much as a hotwiring attempt.

But Wait, There’s More!

If this sounds familiar, it’s because similar security flaws have been found in other automakers’ connected car services. Curry previously warned about a bug in Kia’s online services that exposed millions of vehicles to remote hacking. And in 2023, he and six other researchers uncovered vulnerabilities affecting 16 different car brands that could lead to data leaks, remote control exploits, and enough cyber mayhem to make a hacker’s heart race faster than a WRX in sport mode.

What Does This Mean for Wyoming Drivers?

If you own a Subaru, or any connected vehicle for that matter, here’s the takeaway: Your car is now a rolling computer, and just like your laptop or smartphone, it needs protection. Automakers are racing to secure these systems, but as we’ve seen, vulnerabilities still slip through the cracks.

Here’s how you can protect yourself:

• Update, update, update. If Subaru releases a software patch for Starlink, install it immediately. Cybersecurity is an arms race, and patches are your best defense.

• Use strong passwords. If your vehicle service lets you set a password for remote access, don’t use “password123.” Make it strong, unique, and (please) not your dog’s name.

• Enable two-factor authentication (2FA). If Subaru (or any connected service you use) offers 2FA, enable it. It adds an extra layer of security.

• Be skeptical of phishing scams. Cybercriminals love pretending to be your car company. If you get an email asking you to reset your password or log into a strange-looking website, verify it’s legit before clicking anything.

The Road Ahead

Cybersecurity in vehicles is still a developing battlefield. While Subaru (and other automakers) did beef up security, history tells us new vulnerabilities will emerge. The best thing we can do as consumers is stay informed and practice good cyber hygiene.

So, next time you’re heading into the wild Wyoming backcountry, remember: The road may be rough, but your cybersecurity doesn’t have to be. Drive safe, stay secure, and maybe double-check that your car is only answering to you.