Particle.news
Download on the App Store
4 ARTICLES
·
2d ago

Researcher Reveals Flaws in Automaker’s Dealer Portal That Enabled Remote Vehicle Control

Zveare’s DEF CON summary has reignited scrutiny of dealer-portal security ahead of his forthcoming technical blog post.

A mysterious person standing next to a car on a spooky empty road on a foggy night. Silhouetted by street lights.
Car dealership hack
Carmaker Portal Flaw Could Let Hackers Unlock Cars, Steal Data

Overview

  • In February, Eaton Zveare found client-side login and API vulnerabilities that allowed creation of a privileged national admin account in an unnamed automaker’s dealer portal.
  • The compromised portal granted access to over 1,000 U.S. dealerships and exposed customer personal data, financial records, and telematics systems for real-time vehicle tracking.
  • Zveare demonstrated that his admin account could pair vehicles to a mobile app, enabling remote unlocking, engine start, and location monitoring.
  • The automaker patched the reported flaws within a week of the researcher’s disclosure and confirmed no evidence of prior exploitation.
  • Public disclosure at DEF CON has shone a light on systemic risks in interconnected dealer-manufacturer platforms and spurred calls for stronger API and authentication controls.