Security Flaws Allow Hacker to Remotely Unlock Cars Anywhere
A startling revelation has emerged about security flaws in a carmaker’s online dealership portal. These flaws potentially exposed private information and vehicle data of customers and could have allowed hackers to remotely access and unlock vehicles.
Eaton Zveare, a security researcher at Harness, disclosed this vulnerability to TechCrunch. He discovered the flaws allowed creation of an admin account that provided "unfettered access" to the carmaker’s centralized web portal, potentially exposing personal and financial data of customers, tracking of vehicles, and the ability to control certain vehicle functions remotely.
The carmaker in question remains unnamed, although Zveare confirms it's a widely recognized automaker with popular sub-brands. He plans to discuss these findings at the Def Con security conference.
Zveare, who has a history of uncovering security bugs in carmaker systems, stumbled upon this flaw during a weekend project. By exploiting these flaws, he could bypass login mechanisms and create a "national admin" account, thus gaining access to over 1,000 dealers across the U.S.
"No one even knows that you’re just silently looking at all of these dealers’ data," Zveare mentioned, highlighting the potential for viewing confidential data without detection.
Crucially, the portal also included a consumer lookup tool, which could be used to identify vehicle owners using only a vehicle's identification number. Zveare demonstrated this by accessing personal information of a car owner with their consent.
The security gaps allowed pairing of any vehicle with a mobile account, enabling remote control of car functions like unlocking doors. Zveare tested this feature using a friend's account, which only required basic user attestation.
Further compounding the issue, the portal's interconnected systems enabled admin impersonation, letting users access different dealer systems as if they were another user. This mirrors a vulnerability found in a Toyota dealer portal.
Zveare notes that simple API vulnerabilities were primarily responsible for the breach, emphasizing the importance of securing authentication processes to prevent similar incidents.
The vulnerabilities were reportedly addressed within a week of Zveare's disclosure in February 2025.
