In an alarming revelation, a security researcher has uncovered significant vulnerabilities within an automotive manufacturer’s online dealership portal, raising serious concerns about the safety of customer data and vehicle security. These flaws could potentially allow malicious actors to gain unauthorized access to vehicles remotely, posing a threat to both personal privacy and vehicle integrity.
Discovery of Security Flaws
Eaton Zveare, a security researcher affiliated with a software delivery firm, shared insights with TechCrunch regarding the vulnerabilities he identified. He explained that these flaws enabled the creation of an administrative account, which provided unrestricted access to the carmaker’s centralized web portal. This level of access could have dire consequences, allowing hackers to view sensitive personal and financial information of customers, track vehicles, and even enroll individuals in features that grant control over various car functions from any location.
Implications of Unauthorized Access
While Zveare chose not to disclose the identity of the automaker, he emphasized that it is a well-known brand with several popular sub-brands. During an interview prior to his presentation at the Def Con security conference, he highlighted the critical need for improved security measures within dealership systems, which currently provide extensive access to customer and vehicle data for employees and associates.
Challenges in Identifying Vulnerabilities
Zveare’s journey to uncover these vulnerabilities began as a weekend project earlier this year. He noted that while the flaws in the portal’s login system were difficult to detect, once discovered, they allowed him to bypass the login mechanism entirely by creating a new ‘national admin’ account. This was made possible due to buggy code that loaded in the user’s browser when accessing the login page, enabling him to modify the code and circumvent security checks.
Accessing Sensitive Information
Once logged in, Zveare gained access to over 1,000 dealerships across the United States. He described the unsettling nature of this access, stating, “No one even knows that you’re just silently looking at all of these dealers’ data, all their financials, all their private stuff, all their leads.” Among the tools available within the portal was a national consumer lookup feature, which allowed users to access vehicle and driver data using minimal information.
Potential for Abuse
In a practical demonstration, Zveare utilized a vehicle’s unique identification number to identify its owner, showcasing the ease with which personal information could be accessed. Furthermore, he discovered that the portal allowed for the pairing of any vehicle with a mobile account, enabling remote control of certain car functions, such as unlocking doors. Zveare tested this capability with a friend’s consent, revealing that the portal’s verification process was alarmingly lax.
Interconnected Systems and User Impersonation Risks
Another significant concern was the interconnected nature of the dealership systems, facilitated by a single sign-on feature. This allowed Zveare to navigate between different dealer systems seamlessly. He also found a feature that enabled admins to impersonate other users, granting access to additional dealer systems without requiring their login credentials. Zveare likened this to a similar vulnerability found in another automotive dealer portal earlier this year.
Consequences of Data Exposure
Upon further exploration of the portal, Zveare encountered personally identifiable information, financial data, and telematics systems capable of real-time tracking of rental vehicles and those in transit. He noted the potential for misuse, as unauthorized access could lead to theft or other criminal activities.
Resolution and Lessons Learned
Following Zveare’s disclosure to the automaker, the vulnerabilities were addressed within a week. He emphasized that the root of the issue lay in two simple API vulnerabilities, underscoring the critical importance of robust authentication measures. “If you’re going to get those wrong, then everything just falls down,” he cautioned, highlighting the need for heightened security protocols in the automotive industry.