Vulnerabilities discovered by a researcher in a major automaker’s dealership systems could have been exploited to remotely hack cars and obtain personal information.
The research was summarized over the weekend by Eaton Zveare, researcher at Harness, at the DEF CON hacking conference. The researcher told SecurityWeek that he will soon publish a blog post detailing the findings.
In recent years, Zveare found vulnerabilities in the online platforms of several major car manufacturers, including Honda and Toyota.
His latest research focused on an online platform used by more than 1,000 US dealerships belonging to an unnamed carmaker. The platform can be used to order cars, make sales, and manage customers. While it is accessible over the internet, car dealership employees need an invite in order to register an account.
However, the researcher was able to find the account registration form even without an invitation, and abused a profile updating functionality along with API vulnerabilities to create a ‘national admin’ account that gave him full access to the platform.
[ Read: Free Wi-Fi Leaves Buses Vulnerable to Remote Hacking ]
Zveare noticed that the platform allowed dealers to look up a vehicle based on the customer’s name or the car’s VIN. With the help of a friend who owns a vehicle made by the affected carmaker, he conducted some tests and found that he was able to abuse the platform to transfer the ownership of the vehicle to a newly created account.
With his account tied to the targeted car, Zveare was able to use the associated mobile application to remotely track the vehicle’s location, unlock it, and start the engine.
The researcher believes the attack would have worked against any car model made since 2012 as long as it had a standard telematics module. The attacker only needed to know the victim’s name.
Further research led to the discovery of different portals used by the same brand — including for loaner cars — on which Zveare also managed to obtain elevated privileges, which granted him access to customer and employee personal information, contracts, financial documents, car tracking, and other internal functionality.
Harness told SecurityWeek that the name of the impacted automaker is not being shared, but the company did address the vulnerabilities after being notified.
“The goal of this research is not to call out one company — it’s to highlight broader, systemic risks in dealer-manufacturer platforms that often fly under the radar. Naming names shifts the conversation away from what really matters: improving security across the industry,” Traceable said.
Related: Millions of Cars Exposed to Remote Hacking via PerfektBlue Attack
Related: Nissan Leaf Hacked for Remote Spying, Physical Takeover
Related: Subaru Starlink Vulnerability Exposed Cars to Remote Hacking
