Car Hacking: Hacker Remotely Unlocks Cars Through Web Portal

Security Vulnerabilities Exposed in Automaker's Online Portal

A security researcher has revealed significant security flaws within an automaker’s online dealership portal. These vulnerabilities potentially exposed the private information and vehicle data of customers.

Unauthorized Access and Data Exposure

Eaton Zveare, a security researcher with Harness, informed TechCrunch that a discovered flaw enabled the creation of an administrative account. This account provided “unfettered access” to the carmaker’s centralized web portal.

A malicious actor gaining such access could have viewed customers’ personal and financial details. They could also have tracked vehicles and even enrolled customers in features allowing remote control of vehicle functions.

Details of the Vulnerability

Zveare has chosen not to publicly identify the automaker, describing it as a well-known manufacturer with multiple sub-brands.

He highlighted that these vulnerabilities underscore the security risks inherent in dealership systems. These systems often grant employees and associates extensive access to sensitive customer and vehicle information.

The researcher discovered the flaw earlier this year during a personal project. He found that the portal’s login system contained a vulnerability that allowed him to bypass security measures.

Bypassing Login Security

Specifically, the flawed code loaded within the user’s browser during the login process. This allowed Zveare to modify the code and circumvent the login security checks, creating a “national admin” account.

The automaker confirmed that there was no evidence of prior exploitation, indicating Zveare was the first to identify and report the issue.

Extensive Data Access

Upon gaining access, the account provided access to data from over 1,000 dealerships across the United States.

Zveare explained that an attacker could silently access dealer data, including financials, private information, and customer leads.

Consumer Data Lookup and Vehicle Control

The portal included a national consumer lookup tool. This tool allowed authorized users to access vehicle and driver data associated with the automaker.

Zveare demonstrated this by using a vehicle identification number (VIN) obtained from a car in a public parking lot to identify the vehicle’s owner. The tool could also locate individuals using only their first and last names.

Furthermore, the portal allowed the pairing of vehicles with mobile accounts. This enabled remote control of certain vehicle functions, such as unlocking doors.

Real-World Demonstration and Potential Abuse

Zveare tested this functionality with a friend’s consent, successfully transferring control of their vehicle to an account he controlled. The portal only required a simple “attestation” of legitimacy for the transfer.

He emphasized that the portal could potentially allow unauthorized access to anyone simply by knowing their name or identifying a vehicle in a public space.

While Zveare did not attempt to drive away with the vehicle, he noted the exploit could be used by thieves to break into and steal items from vehicles.

Single Sign-On and User Impersonation

Another significant issue was the use of single sign-on (SSO). This feature allowed access to multiple dealer systems with a single set of credentials.

The automaker’s systems are interconnected, making it easy to navigate between different systems. The portal also featured a user-impersonation function.

This function allowed administrators to access other dealer systems as if they were the legitimate user, without requiring their login credentials. This is similar to a vulnerability discovered in a Toyota dealer portal in 2023.

Data Found Within the Portal

Zveare discovered personally identifiable customer data, some financial information, and telematics systems within the portal.

These telematics systems enabled real-time tracking of rental cars, vehicles in transit, and provided the option to cancel shipments.

Resolution and Key Takeaways

The automaker addressed the vulnerabilities in February 2025, shortly after Zveare’s disclosure.

Zveare concluded that the vulnerabilities stemmed from just two simple API flaws related to authentication. He stressed that failures in authentication can compromise the entire system.

We’re always looking to evolve, and by providing some insight into your perspective and feedback into TechCrunch and our coverage and events, you can help us! Fill out this survey to let us know how we’re doing and get the chance to win a prize in return!