Security Flaws Allowed Hackers to Remotely Access Vehicles and Steal Sensitive Information

A recently discovered vulnerability in a carmaker’s online dealership portal has exposed the private information and vehicle data of its customers, potentially allowing hackers to remotely break into any of its customers’ vehicles. The security flaw, discovered by Eaton Zveare, a security researcher at software delivery company Harness, allowed the creation of an admin account that granted “unfettered access” to the carmaker’s centralized web portal.

According to Zveare, ahead of his talk at the Def Con security conference in Las Vegas, the flaw put a spotlight on the security of these dealership systems, which grant their employees and associates broad access to customer and vehicle information. The vulnerability was discovered earlier this year as part of a weekend project, and Zveare said it was a challenge to find, but once he did, the bugs let him bypass the login mechanism altogether by permitting him to create a new “national admin” account.

The flaws were problematic because the buggy code loaded in the user’s browser when opening the portal’s login page, allowing the user to modify the code to bypass the login security checks. With this access, a malicious hacker could have viewed the personal and financial data of the carmaker’s customers, tracked vehicles, and enrolled customers in features that allow owners to control some of their cars’ functions from anywhere.

Zveare said that he was the first to find and report the flaw to the carmaker, and that the company found no evidence of past exploitation. When logged in, the account granted access to more than 1,000 of the carmaker’s dealers across the United States. Zveare described the access as “surreptitious,” allowing him to view sensitive information without arousing suspicion.

The carmaker’s portal also had a feature that allowed admins to “impersonate” other users, effectively allowing access to other dealer systems as if they were that user without needing their logins. Zveare said this was similar to a feature found in a Toyota dealer portal discovered in 2023, and that it was a “security nightmare waiting to happen.”

This impersonation feature allowed Zveare to access other dealer systems linked to the same portal through single sign-on, a feature that allows users to log in to multiple systems or applications with just one set of login credentials. Zveare said that the carmaker’s systems for dealers are all interconnected, making it easy to jump from one system to another.

With this access, a malicious hacker could have used the vehicle’s unique identification number to identify the car’s owner, or even pair any vehicle with a mobile account, allowing them to remotely control some of the car’s functions. Zveare demonstrated this by using a friend’s account and with their consent, transferring ownership to an account controlled by him. He said that the portal requires only an attestation, or effectively a pinky promise, that the user performing the account transfer is legitimate.

Zveare also found that the portal had a national consumer lookup tool that allowed logged-in portal users to look up the vehicle and driver data of that carmaker. In a real-world example, Zveare took a vehicle’s unique identification number from the windshield of a car in a public parking lot and used the number to identify the car’s owner. He said that the tool could be used to look up someone using only a customer’s first and last name.

The bugs took about a week to fix in February 2025, soon after Zveare’s disclosure to the carmaker. “The takeaway is that only two simple API vulnerabilities blasted the doors open, and it’s always related to authentication,” said Zveare. “If you’re going to get those wrong, then everything just falls down.”

The discovery highlights the importance of robust security measures in dealership systems, which often grant broad access to sensitive customer information. As the automotive industry continues to evolve and become increasingly reliant on digital technologies, the need for robust security measures will only grow.