Carmaker Portal Flaw Could Let Hackers Unlock Cars, Steal Data

A security vulnerability in a major carmaker’s online portal exposed customer data and could have let hackers remotely unlock vehicles. Read about the “security nightmare” and get tips to protect your car from tracking.

A new security vulnerability in a major car manufacturer’s online system has been discovered, exposing customer data and potentially allowing remote access to vehicles. The flaw was found by security researcher Eaton Zveare, who reported his findings to the company, leading to a fix in February 2025. Zveare has not publicly named the automaker, but stated it’s a well-known brand with over 1,000 dealerships in the United States.

For your information, Zveare is known for identifying critical vulnerabilities in IoT devices. For example, their June 2022 findings revealed a vulnerability in a smart jacuzzi app that could be exploited by a remote attacker to extract unsuspecting user data.

The vulnerability was found in an online portal used by the carmaker’s dealerships. Zveare discovered a way to bypass the login security by modifying the portal’s code, which allowed him to create a new “national administrator” account. This gave him “unfettered access” to the private information of thousands of customers, including personal data, financial details, and vehicle information.

Using a vehicle’s unique identification number (VIN), which can be seen on the windshield, a hacker could look up the owner’s name. Even more alarming, the flaw allowed a hacker to remotely control certain car functions, such as unlocking the doors, simply by knowing a customer’s name or a VIN. While Zveare did not test if it was possible to drive the cars away, the vulnerability could easily be exploited by thieves.

The dealership portal also exposed more than just customer information. With his new admin access, Zveare could view financial data from all the dealerships and even track the real-time location of rental or courtesy cars. He noted that the security flaws were a “security nightmare waiting to happen” due to the ability to impersonate other users and access different systems.

Cybersecurity firm Malwarebytes weighed in on the issue, saying that this is the kind of vulnerability that makes it easier for people to track and stalk others. Zveare, who presented his findings at the Defcon security conference, says the bugs took the company about a week to fix after he disclosed them.

He told TechCrunch that the main issue came down to simple authentication flaws, saying, “If you’re going to get those wrong, then everything just falls down.”

For people concerned about their car’s security, here are a few simple tips to help prevent unwanted tracking:

• Use your phone’s navigation app (like Google Maps) instead of the one built into your car.

• Don’t save regular destinations in the car’s navigation system.

• Keep your car’s software updated to ensure you have the latest security protections.

• Check your car’s remote access apps to make sure no unknown devices have been linked to your account.