Carmaker Portal Security Flaw Lets Hackers Remotely Unlock Cars, Access Customer Data
A security researcher has revealed that critical flaws within a major carmaker’s online dealership portal not only exposed sensitive customer data but also presented the alarming possibility for hackers to remotely unlock vehicles from anywhere.
Eaton Zveare, a security researcher at software delivery firm Harness, informed TechCrunch that a vulnerability he identified allowed for the creation of an administrator account, granting what he described as “unfettered access” to the automaker’s centralized web portal.
This extensive access could have empowered malicious actors to view customers’ personal and financial information, track vehicle locations, and even enroll vehicles into features that enable remote control functions, allowing owners—or unauthorized individuals—to manage car operations remotely.
Zveare indicated he would not disclose the specific manufacturer’s name, but stated it was a well-known automaker with several popular sub-brands.
Speaking to TechCrunch ahead of his presentation at the Def Con security conference in Las Vegas, Zveare highlighted how these bugs underscore the precarious security of dealership systems, which often provide employees and affiliates with broad access to customer and vehicle data.
Zveare, who has previously uncovered security issues in carmakers’ customer and vehicle management systems, discovered this particular flaw earlier this year as part of a weekend project. His prior research includes findings on systems used by manufacturers like Toyota, detailed on his website.
He explained that while the security flaws within the portal’s login system were challenging to pinpoint, once discovered, they allowed him to bypass the authentication mechanism entirely by enabling the creation of a new “national admin” account.
The vulnerability stemmed from buggy code that loaded directly into a user’s browser upon accessing the portal’s login page. This allowed Zveare, in this instance, to modify the code, thereby circumventing the login security measures. Zveare noted that the carmaker found no evidence of prior exploitation, suggesting he was the first to discover and report the issue.
Once logged in with the compromised account, Zveare found it provided access to data from over 1,000 dealerships across the United States.
“No one even knows that you’re just silently looking at all of these dealers’ data, all their financials, all their private stuff, all their leads,” Zveare commented, describing the extent of the compromised information.
Within the dealership portal, Zveare discovered a national consumer lookup tool that permitted logged-in users to access vehicle and driver data for any customer of that carmaker. He provided a real-world example where he used a vehicle’s VIN, obtained from a car in a public lot, to identify the owner, noting the tool could also retrieve information using just a customer’s name.
Furthermore, the portal allowed for the pairing of any vehicle with a mobile account, enabling remote control features such as unlocking doors via a smartphone app. Zveare demonstrated this capability with a friend’s consent, transferring control of their car by exploiting a process that required only a user’s attestation of legitimacy.
“For my purposes, I just got a friend who consented to me taking over their car, and I ran with that,” Zveare stated. “But [the portal] could basically do that to anyone just by knowing their name—which kind-of freaks me out a bit—or I could just look up a car in the parking lots.”
While Zveare did not attempt to drive the vehicles, he cautioned that the exploit could be leveraged by thieves to gain entry and steal items from cars.
Another significant issue identified was the portal’s single sign-on (SSO) feature, which allowed access to multiple interconnected dealer systems. Zveare explained that the carmaker’s dealer systems were all linked, facilitating easy movement between them.
This interconnectedness also included a feature allowing administrators, like the account Zveare created, to “impersonate” other users. This capability enabled access to different dealer systems as if they were the impersonated user, without needing their credentials, a feature Zveare noted was similar to one found in a Toyota dealer portal investigated in 2023.
“They’re just security nightmares waiting to happen,” Zveare remarked regarding the user-impersonation functionality.
During his exploration of the portal, Zveare found personally identifiable customer data, financial details, and telematics systems that provided real-time location tracking for rental or courtesy cars, as well as vehicles in transit. The portal also offered the option to cancel these services, although Zveare did not test this functionality.
Zveare reported that the identified vulnerabilities were addressed by the carmaker approximately one week after his disclosure in February 2025.
Reflecting on the incident, Zveare concluded, “The takeaway is that only two simple API vulnerabilities blasted the doors open, and it’s always related to authentication. If you’re going to get those wrong, then everything just falls down.”
