In a recent revelation, security researcher Eaton Zveare uncovered significant vulnerabilities within a prominent car manufacturer’s online dealership portal. These flaws potentially allowed unauthorized individuals to access sensitive customer data and remotely control vehicle functions.
Discovery of the Vulnerability
Eaton Zveare, associated with software delivery firm Harness, identified a critical flaw enabling the creation of an administrative account with unrestricted access to the carmaker’s centralized web portal. This access could permit malicious actors to view personal and financial information of customers, track vehicle locations, and manipulate features that allow remote control of certain car functions. Zveare chose not to disclose the specific automaker but confirmed it is a well-known brand with multiple popular sub-brands.
Technical Details of the Flaw
The vulnerability resided in the portal’s login system. By exploiting this flaw, Zveare could bypass authentication mechanisms and establish a national admin account. The issue stemmed from defective code loaded in the user’s browser upon accessing the portal’s login page, allowing modification to circumvent security checks. Upon investigation, the carmaker found no evidence of prior exploitation, indicating Zveare was the first to identify and report the issue.
Extent of Unauthorized Access
With administrative access, Zveare could infiltrate data from over 1,000 dealerships across the United States. This included viewing confidential dealer information, financial records, and customer leads. Additionally, the portal featured a national consumer lookup tool, enabling users to retrieve vehicle and driver data. For instance, by obtaining a vehicle’s unique identification number (VIN) from a publicly parked car, Zveare could identify the owner. The tool also allowed searches using just a customer’s first and last name.
Potential for Remote Vehicle Control
The portal’s access extended to pairing any vehicle with a mobile account, facilitating remote control of certain car functions via an app, such as unlocking doors. Zveare tested this by transferring ownership of a friend’s vehicle to an account he controlled, with the friend’s consent. The portal required only a simple attestation for the transfer, raising concerns about potential misuse by unauthorized parties.
Broader Implications and Industry Context
This incident underscores the critical need for robust security measures in automotive web portals. Similar vulnerabilities have been identified in other manufacturers. For example, in 2024, researchers discovered a flaw in Kia’s web portal that allowed remote control of vehicles using just the license plate number. This exploit enabled unauthorized access to vehicle functions and tracking capabilities. Additionally, in early 2025, vulnerabilities in Subaru’s web portal were found, allowing hackers to hijack car controls and access driver location data. These cases highlight a pervasive issue within the automotive industry, where web-based flaws can lead to significant security breaches.
Industry-Wide Challenges
The automotive sector’s push to integrate connected technologies has expanded the attack surface for potential cyber threats. Features that allow smartphone-enabled control of vehicle functions introduce new vulnerabilities. Experts emphasize the need for comprehensive security assessments and proactive measures to safeguard against such risks. The focus should not only be on embedded systems within vehicles but also on the web infrastructure that supports these connected features.
Conclusion
The discovery of these security flaws serves as a stark reminder of the vulnerabilities inherent in modern connected vehicles. Automakers must prioritize cybersecurity in both vehicle systems and associated web portals to protect customer data and ensure vehicle safety. Continuous vigilance, regular security audits, and prompt remediation of identified flaws are essential to maintain consumer trust and vehicle integrity.
