Security researcher Eaton Zveare uncovered significant vulnerabilities in a carmaker's online dealership portal, which could allow hackers to remotely access and unlock vehicles while exposing sensitive customer information.

Despite the platform requiring an invitation for account registration, Zveare exploited API vulnerabilities to create a 'national admin' account, gaining unrestricted access to the portal.

This access revealed flaws in the online platform utilized by over 1,000 U.S. dealerships, compromising functions related to car ordering, sales, and customer management.

Zveare discovered various types of sensitive data, including personally identifiable information and financial records, as well as tools for real-time vehicle tracking and transaction cancellation.

Once linked to a targeted vehicle, he demonstrated the ability to remotely track its location, unlock it, and start the engine via the associated mobile application.

The vulnerabilities raised concerns about potential misuse, as attackers could unlock vehicles and possibly steal items inside, although Zveare did not confirm if he could drive away in a stolen vehicle.

By using a vehicle's unique identification number (VIN), any user with portal access could look up the owner's name and potentially transfer ownership of the account, gaining control over the vehicle.

The insecure code executed in users' browsers allowed Zveare to bypass security checks, highlighting the overall security weaknesses within dealership systems.

The interconnected nature of the carmaker's systems enabled Zveare to impersonate other users, further compromising security by allowing access to other dealer systems without their credentials.

In response to these findings, the Federal Communications Commission (FCC) emphasized the need for car manufacturers to enhance security measures to protect against stalking and unauthorized tracking.

After being notified by Zveare, the automaker addressed the vulnerabilities within a week, underscoring the urgent need for improved security across the automotive industry.

Zveare plans to present his findings at the DEF CON hacking conference and will publish a detailed blog post on the vulnerabilities to raise awareness.