A security researcher has uncovered serious flaws in a major carmaker’s online dealership portal, potentially exposing customers’ private information and vehicle data. This breach could allow hackers to access customers’ vehicles remotely.
Eaton Zveare, who works at a software delivery company, found a significant vulnerability that let him create an admin account for the carmaker’s central web portal. This gave him complete access to sensitive customer information and vehicle functions.
Imagine being able to see someone’s personal and financial data, track their vehicles, or even control some functions of their cars—all without raising any alarms. “It’s a scary thought,” Zveare notes. While he chose not to reveal the carmaker’s name, he mentioned it’s a well-known brand with multiple sub-brands.
In a recent chat before his appearance at the Def Con security conference, Zveare highlighted how insecure dealership systems can be. They grant wide access to employee and associate data, making them tempting targets for hackers.
Zveare stumbled upon this flaw during a weekend project earlier this year. Once identified, he found ways to bypass the login security altogether. This allowed him to create a “national admin” account that could access over 1,000 of the carmaker’s dealers across the United States.
Surprisingly, there’s no evidence that anyone else had exploited this vulnerability before him. “No one even knows that you’re just silently looking at all of these dealers’ data,” he explained.
Inside the portal, Zveare discovered a tool that could look up customer vehicle and driver information. He even found a way to identify a car owner just by the vehicle’s identification number, taken from a car parked publicly. This could enable anyone to search for someone’s information using just their name.
Once logged in, Zveare could also link any vehicle to a mobile account, allowing full remote control over functions like unlocking the car. He tested this with a friend’s consent and found the transfer process alarmingly easy—just a simple attestation was all it required. “It’s a minor promise, but it’s way too easy,” he stated.
What about security? Zveare warns that these vulnerabilities could be exploited by thieves to break into vehicles and steal items. The interconnected nature of the dealership systems also means accessing one system could lead to more vulnerabilities across the board.
One frightening feature was the ability to impersonate other users, which could have serious security implications. “These are just security nightmares waiting to happen,” he said, comparing it to a similar flaw discovered in a Toyota dealer portal earlier this year.
Once inside the portal, he uncovered personally identifiable customer data, financial info, and real-time tracking systems for rental cars and vehicles being shipped. Zveare didn’t test the cancelation feature, but the implications were clear: the access could lead to significant issues.
Fixes for these flaws took about a week after Zveare reported them in February 2025. The main takeaway? He emphasizes that just two API vulnerabilities can open the floodgates. “It all comes down to authentication. If that’s flawed, everything else can crumble,” he concluded.
The vulnerability of online systems continues to be a pressing issue. According to a recent report by Cybersecurity Ventures, cybercrime is expected to cost the world $10.5 trillion annually by 2025. As technology becomes more integrated into our lives, ensuring robust security measures must remain a top priority for businesses and consumers alike.
Source link
privacy,Remote Control,cybersecurity,car security,Def Con 2025
