Vulnerabilities discovered in a car manufacturer's online portal enabling a hacker to unlock vehicles from a distant location.
In an unexpected turn of events, a major automaker with several popular sub-brands and over 1,000 dealerships in the United States has recently come under scrutiny for a critical security flaw in its online dealership portal. Although the specific automaker remains unnamed in the available reports, descriptions indicate a well-known multibrand U.S. car manufacturer.
The vulnerability, discovered by security researcher Eaton Zveare, allowed him to bypass login mechanisms and create a "national admin" account, granting full administrative access to customer private information, vehicle data, and remote control functions such as unlocking and starting vehicles.
The flaw was found in the automaker’s centralized dealer portal, which manages sales, customer leads, and vehicle enrollments. By exploiting hidden registration forms and bypassing validation, Zveare could forge admin accounts with broad privileges, including transferring vehicle ownership digitally and taking over controls via the mobile app. This posed a significant risk of hackers remotely hijacking vehicles, tracking their locations, and accessing sensitive customer and financial data.
The automaker promptly patched the vulnerability in about one week after the disclosure, but the incident highlights urgent cybersecurity challenges within the automotive industry’s dealer network systems.
Zveare found a national consumer lookup tool inside the portal that allowed logged-in users to look up vehicle and driver data of that carmaker's customers. He was also able to identify a car owner using a vehicle's unique identification number from the windshield. With portal access, it was possible to pair a vehicle with a mobile account, allowing remote control of some car functions.
The security researcher, Eaton Zveare, found the flaw as part of a weekend project. When logged in, the account granted access to more than 1,000 of the carmaker's dealers across the United States. The tool used in the example could be used to look up someone using only a customer's first and last name.
Fortunately, the carmaker found no evidence of past exploitation of these flaws. Zveare compared the user-impersonation feature he discovered to a similar feature found in a Toyota dealer portal in 2023.
This incident serves as a reminder for the automotive industry to prioritize cybersecurity measures in their dealership portals and other digital services to protect their customers' sensitive information and vehicle data.
- The critical security flaw in the automaker's online dealership portal involves finance, technology, and cybersecurity, as it exposed customer private information, vehicle data, and allowed remote control functions.
- In the transportation and data-and-cloud-computing sector, it is essential to address urgent cybersecurity challenges, particularly within automotive industry dealer network systems, to prevent remote hijacking of vehicles and protect sensitive data.
- The discovery of a consumer lookup tool inside the portal signifies the need for improved cybersecurity measures in the industry's dealer portals and digital services, as poor security can lead to potential misuse of data, such as vehicle and financial information.
