A Shocking Discovery in Automotive Security

In a jaw-dropping revelation, a security researcher exposed severe vulnerabilities in a major carmaker’s online dealership portal, raising alarms about the potential for hackers to remotely unlock and control vehicles. This breach, uncovered by Eaton Zveare of Harness, has thrown the spotlight on the safety of customer data and vehicle security.

How One Hack Could Grant Unlimited Access

Zveare’s findings indicated that the flaws allowed for the creation of an unauthorized admin account, giving complete access to the carmaker’s centralized web portal. Alarmingly, this means that a hacker could view sensitive personal and financial information, track vehicles, and even enroll customers in features that would let them control car functions from any location.

A Major Automaker with a Hidden Risk

Although Zveare chose to keep the carmaker’s identity under wraps, he specified that it’s a widely recognized name with numerous popular sub-brands. Ahead of a presentation at the Def Con security conference in Las Vegas, Zveare detailed the risks associated with the dealership systems that provide broad access to sensitive customer and vehicle information.

A Weekend Project Turns Into a Security Nightmare

Zveare discovered these significant vulnerabilities as part of a weekend project. He adeptly navigated the portal's login system, ultimately bypassing it entirely to create a new ‘national admin’ account. This loophole existed because the buggy code loaded in the user’s browser allowed modifications to bypass login security.

Accessing Dealer Data with Ease

Once logged in, Zveare had access to over 1,000 dealerships across the U.S. He described the data he could quietly observe as deeply concerning, knowing he could silently sift through dealers’ financial records and customer leads. One shocking feature he found was a national consumer lookup tool enabling him to access vehicle and driver data with just a name.

Testing the Vulnerability in Real-Time

In a real-world application, he demonstrated this by using a friend's vehicle identification number to identify the car's owner, facilitating potential exploitation with just a customer’s name. Zveare even experimented by transferring vehicle ownership to himself through the portal using his friend's consent, revealing how easy it was to obtain control.

Could Thieves Take Advantage?

While Zveare refrained from attempting to drive away with a vehicle, he pointed out that this exploit could empower thieves to break into cars, potentially stealing valuables.

The Interconnected Chaos of Dealer Systems

Zveare also noted frightening implications of single sign-on features in these portals, allowing access to interconnected dealer systems without separate logins. He raised concerns about an impersonation feature that let admins gain access to other users' accounts—a vulnerability mirroring issues found within other automotive portals.

Fix Implemented, But the Lesson Remains Clear

After Zveare’s disclosure, the carmaker reportedly took about a week to address these security flaws. He emphasized the critical takeaway: two simple API vulnerabilities brought the entire system down—proving that improper authentication can lead to catastrophic breaches.