Dangerous Vulnerabilities Threatening Customer Data and Cars

Vulnerability Discovery and Its Initial Impact

A security researcher revealed dangerous vulnerabilities in an electronic portal belonging to car dealerships, which led to the exposure of private information and customer vehicle data. More dangerously, these vulnerabilities allowed hackers to remotely control customers' cars. The security researcher Eitan Zviyer, from "Harness" software delivery company, discovered the vulnerability that allowed him to create an administrator account, which granted him "unrestricted access" to the central portal of a major undisclosed car company.

With this level of access, any attacker could view the personal and financial data of the company's customers, track their vehicle locations, and even enroll them in features that allow owners—or attackers in this case—to control specific functions of their cars from anywhere in the world. Zwierz did not reveal the company's identity, but he confirmed that it is a widespread car manufacturer with several well-known sub-brands.

Mechanism of Intrusion and Bypassing Protection

In an interview, Zwierz stated that these security flaws highlight the weak protection of dealer systems, which grant employees and partners wide-ranging access to customer and vehicle information. Zwierz, who has a history of uncovering similar vulnerabilities in vehicle management systems, discovered this flaw during a personal project earlier this year.

He explained that despite the difficulty of discovering the flaws in the portal's login system, they allowed him to completely bypass the protection mechanism and create a "national administrator" account. The problem was that the faulty code was loaded directly into the user's browser when opening the login page, allowing Zwierz to modify this code and bypass all security checks. The automaker confirmed that they found no evidence of previous exploitation of the vulnerability, suggesting that Zwierz was the first to discover and report it.

Access to Dealer and Customer Data

Once logged in, the new account provided access to data for over 1000 of the company's dealers across the United States. Zwierz described this access by saying: "No one even knows you are silently browsing all these dealers' data, all their financial records, all their private information, and their prospective customer lists."

Zwierz explained that among the tools he found within the dealer portal, there was a national search tool that allowed authorized users to search vehicle and driver data for the company's customers. In a practical example, Zwierz used the Vehicle Identification Number (VIN) from a car parked in a public place to identify its owner. He added that it was possible to search for anyone using only the customer's first and last name.

Remote Vehicle Control and Security Risks

With access to the portal, it was also possible to pair any vehicle with a mobile phone account, allowing customers to remotely control certain functions of their cars via an app, such as unlocking doors. Zwierz conducted a practical experiment on this with the consent of a friend. He noted that the transfer of ownership to his account only required a simple affirmation—merely a pledge—that the user performing the transfer was the legitimate owner.

Zwierz said: "For my research purposes, I obtained a friend's consent to control his car, and I used that." He added: "But [the portal] allowed doing that to anyone just by knowing their name—which is scary—or I could simply search for any car in a parking lot." Zwierz did not test whether he could drive the car, but he confirmed that this exploitation could be misused by thieves to break into vehicles and steal their contents.

Single Sign-On (SSO) Threat and Impersonation Feature

One of the other main problems was that breaching the car company's portal granted access to other dealer systems linked to the same portal via a Single Sign-On (SSO) feature, which allows users to log into multiple systems using a single set of credentials. Zwierz said that all of this company's dealer systems were interconnected, making it easy to move from one system to another.

Thanks to this interconnectedness, the portal also contained a feature that allowed administrators, like the account Zwierz created, to "impersonate" any other user, allowing them to access other systems as if they were that user, without needing their login credentials. Zwierz noted that this feature is very similar to a vulnerability discovered in Toyota's dealer portal in 2023. Commenting on the impersonation feature, Zwierz said: "It's just security nightmares waiting to happen." Once inside the portal, Zwierz was able to find customer identification data, some financial information, and remote tracking systems that allowed real-time monitoring of leased or free cars, as well as cars being shipped across the country, with an option to cancel these operations—although Zwierz did not attempt that.

Speed of Response and Lessons Learned

According to Zwierz, it took about a week in February 2024 to fix these vulnerabilities, shortly after he reported them to the manufacturer. Zwierz summarized by saying: "The bottom line is that just two simple API vulnerabilities opened all the doors, and it's always about authentication. If you get that wrong, everything collapses."