Carmaker Portal Security Flaw Let Hackers Unlock Cars

How the Carmaker Portal Security Flaw Was Discovered

A newly uncovered carmaker portal security flaw has exposed just how vulnerable connected vehicle systems can be. Security researcher Eaton Zveare discovered a weakness in an unnamed automaker’s online dealership portal that allowed the creation of a “national admin” account with unrestricted access.

This flaw put over 1,000 dealerships across the U.S. at risk. It allowed intruders to view customer data, track vehicles in real time, and even unlock cars remotely — all without detection.

How the Carmaker Portal Security Flaw Allowed Remote Access

The issue stemmed from buggy code in the login page, which loaded in the user’s browser. By modifying it, Zveare bypassed authentication and entered the portal. Once inside, the potential damage was severe: access to dealer financial records, sales leads, and a national consumer lookup tool that could identify a car’s owner from a VIN.

In one test, using a VIN from a parked car, Zveare confirmed the tool could return the owner’s details. The flaw also let users link any vehicle to a new mobile account, enabling remote unlocking with minimal verification.

Single Sign-On Risks Amplified by Carmaker Portal Security Flaw

The dealership portal used single sign-on, meaning one compromised account could open access to multiple connected systems. This included the ability to impersonate other users without knowing their credentials — a critical weakness in such an interconnected environment.

Telematics features inside the portal also revealed real-time vehicle locations, from rental cars to units in transit. While Zveare did not attempt to drive away, the potential for theft was evident.

Quick Fix, Lasting Lessons

The automaker patched the carmaker portal security flaw within a week of disclosure in February 2025. Still, the breach highlights a key point: two small API vulnerabilities, both tied to authentication, were enough to compromise a nationwide network of dealerships.

As Zveare put it, “If you’re going to get authentication wrong, everything just falls down.” This incident shows the importance of securing portal-level access in the automotive industry before attackers exploit it.

How would your systems hold up if attackers targeted your access portals tomorrow?

Explore Business Solutions from Uttkrist and our Partners’, Pipedrive CRM 2X the usual trial with no CC and no commitments and more uttkrist.com/explore