Carmaker Web Portal Exposes Remote Car Unlocking Vulnerability and Access to 1,000 Dealerships
Published
- Breached privacy: A flaw in an online dealership portal exposed private customer details and vehicle data.
- Website issue: Hackers could have remotely broken into any car belonging to the dealership’s customers.
- Admin privileges: Exploiting weak authentication allowed access to vehicle controls and customer data.
A significant cybersecurity flaw has been discovered in a carmaker's web portal, jeopardizing customer privacy and vehicle security. The vulnerability allowed unauthorized access to vehicles and sensitive customer information through the centralized dealer portal of the “widely known automaker with several popular sub-brands.”
Vulnerabilities and Exploits
Security researcher Eaton Zveare, who works at software delivery company Harness, identified a critical flaw enabling the creation of a "national admin" account due to code vulnerabilities in the portal’s login page, TechCrunch recently reported.
An unauthorized user could modify the code to bypass the login security checks and access the personal and financial data of the carmaker’s customers, track vehicles, and enroll customers in features that enable remote control of certain car functions.
This account granted universal access to over 1,000 dealerships nationwide that were connected via Single Sign-On (SSO) on this portal, exposing:
- Personal data, including owner names, addresses, phone numbers, and email addresses
- Account information, such as linked user profiles and service records
- Telematics data, including real-time vehicle location and status
Logged-in users could look up customers’ vehicle and driver data and use the vehicle’s unique identification number, displayed on the windshield, to identify the car’s owner.
Alarmingly, the system allowed unauthorized pairing of vehicles with new mobile accounts, requiring only an attestation, and enabled remote car unlocking through a user-controlled application.
The report mentions that the portal also had a feature that allowed admins to act as other users and access other dealer systems without needing their logins, similar to a feature found in a Toyota dealer portal that Zveare discovered in 2023.
Implications of the Breach
This remote car unlocking vulnerability highlights severe weaknesses in the integration of digital systems with physical security. Affected users risk theft of personal items, exposure of their private information, or even unauthorized control over their vehicles.
Beyond individual users, this represents a troubling precedent for cybersecurity flaws in the automotive industry, where a breach can quickly escalate to endanger public safety.
Carmaker’s Response
Following Zveare’s disclosure, the carmaker acted swiftly to patch the vulnerabilities in February 2025. Although no evidence of past exploitation has been uncovered, the incident highlights the need for heightened security standards, particularly for platforms that manage vehicle data and customer information.
Last year, Toyota suffered a data breach, and the stolen information was leaked on the dark web for free.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular