Car Owners Beware: A Major Flaw Lets Hackers Steal Your Car Remotely
The rise of digital technologies in cars has brought about numerous benefits, from improved infotainment systems to enhanced safety features. However, this increased reliance on technology also heightens the risk of security threats. Recently, a major carmaker faced criticism for failing to secure its dealership web portal, leaving millions of customers vulnerable to remote hijacking and other nefarious actions.
Security researcher Eaton Zveare has exposed serious vulnerabilities in the centralized dealership web portal of an unnamed major carmaker. The flaws, which were discovered through a national-level admin account created by modifying browser-loaded code without valid credentials, could have allowed hackers to gain access to sensitive customer and vehicle data.
The Flaw: Two Weak API Authentications
According to Zveare, the security vulnerabilities were related to two weak API authentications. This allowed him to bypass login security on the web portal and create an unrestricted national-level admin account. With this created account, he gained access to over 1,000 dealership systems in the United States.
The single sign-on feature of the portal was particularly concerning, as it enabled users to jump between different dealer systems without requiring additional authentication. Once access was gained, Zveare demonstrated how easy it was for someone with an unrestricted account to search for a customer's name and match it with the vehicle's information through an internal tool.
Risks of Vehicle Hijacking
What's more concerning is that vehicles with a connected mobile account pose a greater risk of attacks and hijacks. Zveare showed how admins could control or transfer user accounts without security authentication, allowing hackers to remotely access and take control of vehicles.
This has serious implications in instances of organized carjacking and theft. The researcher even demonstrated how he was able to remotely unlock a vehicle via the mobile app, using permission from a friend with a vehicle in the portal.
A Response from the Carmaker
Despite the alarming discovery, Zveare reported that the bugs were patched within a week of his notification. However, there is still concern about whether comparable portals outside the United States are affected, and whether similar loopholes exist in overseas subsidiaries.
Other Cases of Security Vulnerabilities
This incident is not an isolated case. Last year, researchers exploited Kia's dealer portal to remotely control vehicles using license plate numbers. Meanwhile, Volkswagen was reported to have exposed the personal data of more than 800,000 EV owners.
In these cases and others like it, carmakers are facing criticism for their handling of security vulnerabilities. As consumers, what can we do to protect our data and vehicles from hacking?
Safeguards to Protect Your Data and Vehicle
Here are some safeguards you can take to protect your data and vehicle from hacking:
- Use strong passwords and two-factor authentication whenever possible.
- Keep your software and operating systems up to date.
- Be cautious when using public Wi-Fi networks or connecting to unfamiliar devices.
- Monitor your vehicle's security settings regularly.
- Consider investing in a vehicle tracking system for added security.
Should We Really Trust These Companies with Our Data?
This incident raises questions about whether we can really trust carmakers with our data. As consumers, it's essential to demand more from these companies and hold them accountable for their security practices.
We want to hear your thoughts on this issue. What safeguards do you take to protect your data and vehicle? Should carmakers be held more accountable for their handling of security vulnerabilities?