“A nightmare for safety”: this bug allows you to take control of a car remotely

Vulnerability made it possible to create an administrator account for a “Unlimited access” at the centralized web portal of the manufacturer. It was during the Conf Conference in Las Vegas that this discovery was revealed to the public.

A large manufacturer struck by a serious fault

Vulnerability would have enabled hackers to consult the personal and financial data of customers, to follow their vehicles in real time and to register them for functionalities for remote control of certain features.

Eaton Zveare refuses to name the affected manufacturer, but specifies that it is a very well -known brand with several popular subsidiaries. In short, it is impossible not to worry about this security problem with a known automobile group with very sensitive data.

The researcher has already found bugs in customer systems and vehicle management from other manufacturers and identified this flaw at the start of 2025 during a project. Even if this vulnerability was complex to detect, it made it possible to completely bypass the connection mechanism with an administrator account.

The problem was at the level of the code which was responsible in the browser when opening the connection page. Eaton Zveare was able to modify this code to bypass the security checks. Since the manufacturer has never communicated on this subject, it is possible that the expert was the first to put his finger on this fault.

Worried: connecting the account gave access to more than 1,000 dealerships from the manufacturer across the United States. “No one knows that you silently look at all the data of these dealers, all their finances, all their private affairs, all their prospects”describes Eaton Zveare.

The portal contained in particular a consumer research tool to consult the data of vehicles and drivers. For example, Eaton Zveare used the unique identification number of a vehicle recorded on a windshield in a public parking lot to find its owner. The tool also made it possible to carry out research with only the name and first name of a customer.

The portal also made it possible to associate any vehicle with an account to allow remote control of certain features of the car via an application, such as unlocking. Eaton Zveare tested it with the agreement of a friend and discovered that the portal required only a certificate to validate the legitimacy of the transfer of ownership.

A bug that allows you to control a car remotely

“For my experience, I just found a friend who consented to what I take control of his car and I continued with that. But the portal could do that to anyone just knowing its name, which worries me a little. Or I could simply look for a car in the parking lots”explains Eaton Zveare.

Note that Eaton Zveare did not test if it was possible to drive the vehicle remotely, but this vulnerability could be operated by thieves in order to divert cars or steal precious goods inside.

Access to the portal also showed an interconnection with other dealer systems via unique authentication. It was therefore possible to easily move from one system to another. Worse still, the portal offered to administrators “to imitate” other users.

Eaton Zveare therefore had access to dealership systems as if he were a specific user, without even identifiers. The expert has also found identifiable personal data, financial information or real -time monitoring of courtesy rental vehicles. The cybersecurity researcher was even able to follow the cars shipped through the United States with the possibility of canceling orders.

All these bugs were corrected in a week around February 2025, shortly after the disclosure by Eaton Zveare to the manufacturer. The expert concludes: “The lesson to remember is that only two simple API vulnerabilities have opened all doors and it is always linked to authentication. If you have a flaw, then everything collapses.”