Track, in real time, the location of a certain car. Once you see that it's parked, just head over and unlock it using nothing but your phone. In fact, why wait? Just go to any parking lot, look up the VIN, and unlock it. And if you need a little more fun, just cancel some car shipments, because you're a national admin within the brand's online dealership portal, except that you're actually not. You're a hacker.
Thankfully, Eaton Zveare, who actually acquired for himself the ability to do all that,
is not a criminal mastermind. As a security researcher, his job is to try to think like one. Per TechCrunch, he was messing around on "a weekend project" when he discovered the exploit within the brand's portal, which was "two simple API vulnerabilities." (Zveare didn't reveal which brand it was, except to say that it was a famous one with several sub-brands.)
Once he got through the exploit, Zveare was able to make himself an admin with the highest level permissions. The system in question was used by over a thousand dealerships in the U.S., so he was able to access all sorts of information. Names and addresses of buyers were there for the taking; he could have pulled the VIN off of any car on the street and looked up the owner's house. He also found financial data and real-time tracking for rental and courtesy cars. And, oh yeah, he could just cancel any car shipments to the dealerships. Did I mention he could unlock any of the cars within this system?
If all this sounds eerily familiar, it might be because Subaru was found to be similarly vulnerable just this past January. Sleep well tonight!
Read more: These Are The Most Forgettable Cars
Carjacking For The Digital Age
All this technology has made cars incredibly convenient; your car's app does all sorts of things, like remind you where you last parked it and, critically, unlock it for you. Turns out, an admin can essentially use all of those features for any car in the system. The smarter you make everything, the more vulnerable everything gets.
Hacking the automotive industry's systems is a Zveare specialty. In 2023, he got into the stored data of Toyota's Mexican customers. Just a month earlier, he got into Toyota's global supplier management network, which handles the company's supply chain. That is a pretty important thing for a car company! That's the sort of thing you'd assume would be nailed down tight, but, turns out, all you needed was the right email address. Not the password: the email address. Zveare called it "one of the most severe vulnerabilities I have ever found." Until now, it seems.
The good news is, Zveare reports all of his findings to the company in question, and he doesn't talk about them publicly until the issues are already fixed. He found the dealership portal issue back in February; it's all better now, which is why he opened up about it. The bad news is, this is one guy, and if he's finding this stuff, it's likely actual criminals are trying to do similar things. Who knows what exploits they've found? I'd say be safe and lock your car, but maybe that doesn't even matter.
Want more like this? Join the Jalopnik newsletter to get the latest auto news sent straight to your inbox...
Read the original article on Jalopnik.
