Security Flaws In Carmaker's Web Portal Let a Hacker Remotely Unlock Cars (techcrunch.com) 27
Three years ago security researcher Eaton Zveare discovered a vulnerability in Jacuzzi's SmartTub interface allowing access to the personal data of every hot tub owner.
Now Zverae says flaws in an unnamed carmaker's dealership portal "exposed the private information and vehicle data of its customers," reports TechCrunch, "and could have allowed hackers to remotely break into any of its customers' vehicles." Zveare, who works as a security researcher at software delivery company Harness, told TechCrunch the flaw he discovered allowed the creation of a ["national"] admin account that granted "unfettered access" to the unnamed carmaker's centralized web portal. With this access, a malicious hacker could have viewed the personal and financial data of the carmaker's customers, tracked vehicles, and enrolled customers in features that allow owners — or the hackers — to control some of their cars' functions from anywhere.
Zveare said he doesn't plan on naming the vendor, but said it was a widely known automaker with several popular sub-brands.
In an interview with TechCrunch ahead of his talk at the Def Con security conference in Las Vegas on Sunday, Zveare said the bugs put a spotlight on the security of these dealership systems, which grant their employees and associates broad access to customer and vehicle information... The flaws were problematic because the buggy code loaded in the user's browser when opening the portal's login page, allowing the user — in this case, Zveare — to modify the code to bypass the login security checks. Zveare told TechCrunch that the carmaker found no evidence of past exploitation, suggesting he was the first to find it and report it to the carmaker.
When logged in, the account granted access to more than 1,000 of the carmakers' dealers across the United States, he told TechCrunch... With access to the portal, Zveare said it was also possible to pair any vehicle with a mobile account, which allows customers to remotely control some of their cars' functions from an app, such as unlocking their cars... "The takeaway is that only two simple API vulnerabilities blasted the doors open, and it's always related to authentication," said Zveare. "If you're going to get those wrong, then everything just falls down."
Zveare told TechCrunch the portals even included "telematics systems that allowed the real-time location tracking of rental or courtesy cars...
"Zveare said the bugs took about a week to fix in February 2025 soon after his disclosure to the carmaker."
Thanks to long-time Slashdot reader schwit1 for sharing the article.
Now Zverae says flaws in an unnamed carmaker's dealership portal "exposed the private information and vehicle data of its customers," reports TechCrunch, "and could have allowed hackers to remotely break into any of its customers' vehicles." Zveare, who works as a security researcher at software delivery company Harness, told TechCrunch the flaw he discovered allowed the creation of a ["national"] admin account that granted "unfettered access" to the unnamed carmaker's centralized web portal. With this access, a malicious hacker could have viewed the personal and financial data of the carmaker's customers, tracked vehicles, and enrolled customers in features that allow owners — or the hackers — to control some of their cars' functions from anywhere.
Zveare said he doesn't plan on naming the vendor, but said it was a widely known automaker with several popular sub-brands.
In an interview with TechCrunch ahead of his talk at the Def Con security conference in Las Vegas on Sunday, Zveare said the bugs put a spotlight on the security of these dealership systems, which grant their employees and associates broad access to customer and vehicle information... The flaws were problematic because the buggy code loaded in the user's browser when opening the portal's login page, allowing the user — in this case, Zveare — to modify the code to bypass the login security checks. Zveare told TechCrunch that the carmaker found no evidence of past exploitation, suggesting he was the first to find it and report it to the carmaker.
When logged in, the account granted access to more than 1,000 of the carmakers' dealers across the United States, he told TechCrunch... With access to the portal, Zveare said it was also possible to pair any vehicle with a mobile account, which allows customers to remotely control some of their cars' functions from an app, such as unlocking their cars... "The takeaway is that only two simple API vulnerabilities blasted the doors open, and it's always related to authentication," said Zveare. "If you're going to get those wrong, then everything just falls down."
Zveare told TechCrunch the portals even included "telematics systems that allowed the real-time location tracking of rental or courtesy cars...
"Zveare said the bugs took about a week to fix in February 2025 soon after his disclosure to the carmaker."
Thanks to long-time Slashdot reader schwit1 for sharing the article.
Really... (Score:5, Insightful)
"...the carmaker found no evidence of past exploitation"
That would be the same carmaker that had no idea about the fundamental security flaws in their portal for... how many years?
I can certainly believe they were unable to find any evidence, but I don't think that's the flex they want it to be.
Re: (Score:2)
It's orders of magnitude easier to investigate a security flaw and how it may have been executed than it is to find it in the first place.
Internet connected cars (Score:3)
No thank you. Stupid, stupid, stupid idea.
Re: (Score:2, Insightful)
Re: Internet connected cars (Score:2)
Can I rip the stuff out, or will they prosecute me for theft of their property?
Re: (Score:2)
Can I rip the stuff out, or will they prosecute me for theft of their property?
You can physically disable communications, if there is later a problem with one of those modules or a related system they might try to deny you warranty protection. They might also try to charge you for any software updates which you have to go to the dealer for because you disabled the equipment used for OTA. If you do it in software, you will probably have to defeat a protection mechanism, and then they could conceivably go after you for that, but probably won't as there's no damages to show so there's no
Re: (Score:3)
Well instead of just stating "Good luck" why not let car manufacturers know that this isn't wanted? Too many people roll over and play dead and these asshat manufacturers know that. I have a 2001 and a 2007 vehicle in top running condition. I take care of them because I don't want any of these new turds masquerading as cars. I see I can even get a nicely restored vehicle for less than an overpriced modern cell phone on wheels, so there are options.
Guess who (Score:5, Informative)
Zveare said he doesn't plan on naming the vendor, but said it was a widely known automaker with several popular sub-brands
It's GM, this is OnStar-related.
Re: (Score:1)
It would be nice if these guys actually told you who it is instead of having to play a guessing game.
"You may or may not be at risk" isn't particularly helpful, especially when the real information exists but "we won't tell you".
Re: (Score:3)
It was fixed in February 2025 per TFS.
Re: (Score:2)
If that's the case then there's no good reason to continue to hide the name of the company involved since nobody is still at risk.
However, if it's something that requires a software update on the vehicle itself, there may be some vehicles still at risk.
There's no way to know based on the information provided.
And if you had stuff mysteriously go missing from your (locked) car, maybe this is the reason?
Ford, Chev, Volkswagen, Toyota? Something else?
You're not allowed to know.
Re: (Score:3)
My guess is after alerting the company they had to sign a bunch of NDAs so as to not embarrass anyone. Corporate America would rather spend millions silencing someone than admit to a problem.
Re: (Score:2)
How could the company force him to sign an NDA?
Why would he?
There was no mention made of money or other compensation changing hands. Without that, the researcher has zero incentive to do so.
Re:Guess who (Score:4, Informative)
However, if it's something that requires a software update on the vehicle itself, there may be some vehicles still at risk.
It was a bug in the web page used by car dealers to manage the cars.
All vehicles from the 2012 model year onward equipped with standard telematics modules can be unlocked by that portal.
https://cybersecuritynews.com/... [cybersecuritynews.com]
Re: (Score:2)
Every manufacturer is doing their own version of OnStar now.
Re: (Score:2)
Yeah, but how many car makers have several popular sub-brands? Not just one or two. That really reduces the list.
Re: (Score:2)
Yeah, but how many car makers have several popular sub-brands? Not just one or two. That really reduces the list.
Literally all of them. The list isn't reduced in any way.
Re:Guess who On-Star (Score:3)
Buy an Alfa instead (Score:1)
https://www.topgear.com/car-ne... [topgear.com]
This explains ... (Score:2)
a vulnerability in Jacuzzi's SmartTub interface
OnStar has automated (Score:2)
the paper clip. (That's what it used to take to break into a car.)
Re: (Score:2)
I opened my car with a rock hammer. Twice.
Same window too (I replaced it the first time).
Keep it local! (Score:2)
The (many) processors on modern cars are perfectly capable of handling a cryptographic handshake to make a completely local decision about unlocking. Between the touchscreen and processors, they are perfectly capable of letting the owner do the key management. There is no reason they can't interact with a smart phone over bluetooth to unlock.
Instead, the idiot manufacturers tie it all to the mothership where a single vulnerability can affect thousands of people all at once.
Re: (Score:2)
I agree, the story here isn't that a common web app had bugs which are now fixed, it's that the system design is fundamentally careless, even with high value and high quantity real world targets.
Glad I have a dumb ass truck.... (Score:2)