Security flaw exposed automaker's entire dealership portal to hackers

Article content

• A security researcher was able to get into an automaker’s online dealer portal and access customers’ financial and vehicle information
• He reported it to the unnamed automaker in February, and it took a week to fix the problem
• And in the U.K., Hyundai is offering an optional “fix” to prevent hackers from getting in to vehicles from a GameBoy-styled device

A security expert uncovered a flaw in an automaker’s online dealership portal that could have allowed hackers to remotely break into customer vehicles—and to prove it, the expert, with permission, took over a friend’s car. That’s according to a report from TechCrunch, which said Eaton Zveare, a security researcher at software company Harness, was able to create an administration account through the flaw that granted him “unfettered access” to the automaker’s centralized web portal.

He would not name the automaker, but said it was a “widely known” one with “several popular sub-brands.” Once he’d created the account, he was able to modify the portal’s log-in page to bypass security checks. Once he logged in, he was able to access more than 1,000 of the company’s dealers across the U.S., and could have viewed vehicle owners’ personal and financial data, tracked their vehicles, and set them up with features that could have allowed him to remotely control some of the vehicles’ functions, including unlocking the vehicle with a phone.

Zveare said he saw no evidence that anyone had gotten in before, meaning he was the first to discover the flaw; and that he reported it to the unnamed automaker in February 2025. He said the issue required a week to fix.

At the Def Con security hacking conference in Las Vegas in mid-August, Zveare gave a presentation outlining potential security issues with dealership systems, which can provide “broad access” to customer and vehicle information for dealer employees. He said he has found bugs in these systems before, and found this particular one earlier this year as part of a weekend project. The flaws were “a challenge” to find, but once he did, he was able to bypass the log-in process by creating a new account as a “national admin,” which would allow him to access multiple systems within the dealership—even potentially cancelling a customer’s vehicle order, or tracking rental or courtesy cars.

Once in, he found a look-up tool that allowed users logged into the portal to find the vehicle and the owner’s data. To prove it, he took a VIN (vehicle information number) from a vehicle in a parking lot – it’s required to be on the driver’s side of the dash on every vehicle, visible through the windshield – and identified its owner with it. He said he could also have looked up a vehicle if he knew the customer’s first and last name.

With permission, he transferred a friend’s ownership to an account that Zveare controlled; and he was able to do it by simply indicating on the account that the transfer was valid. He said he didn’t try to drive the car, but indicated that someone could have gotten into the vehicle and stolen items out of it.

In other news, as reported by The Verge and others, Hyundai in the U.K. is offering owners of the electric Ioniq 5 an optional security update, which will prevent hackers from stealing the car by using a device similar to a Nintendo GameBoy to open and start the vehicle without using a key. It’s believed the device was created by European hackers, but is expensive to buy, priced in the equivalent of thousands of dollars.

The related Kia EV6 and Genesis GV60 are apparently also vulnerable to the device. It’s reported that the device decodes the vehicle’s signal from its door handle and sends a fake one that the car interprets as the correct one. The optional “fix” to protect the vehicle is £49, or about $92 in Canadian loonies—although many are asking why they need to pay extra to patch up an issue in the car’s security system.

So far, it doesn’t appear that the GameBoy hack has made its way across the pond. Engine immobilizers, which are effective in helping to prevent auto theft, became mandatory in Europe for all cars sold after 1998; and in Canada for all consumer vehicles sold after 2007. The U.S. recommends that automakers install them, but so far hasn’t made it a mandatory feature.

Sign up for our newsletter Blind-Spot Monitor and follow our social channels on X, Tiktok and LinkedIn to stay up to date on the latest automotive news, reviews, car culture, and vehicle shopping advice.