What if a stranger could slip into your car, start the engine, and track your every move with nothing more than your name? This isn’t a plot from a thriller—it’s a real vulnerability uncovered in the digital systems of a major automaker, affecting over 1,000 dealerships across the US. At the DEF CON hacking conference, researcher Eaton Zveare revealed a security flaw so severe that it could turn vehicles into tools for cybercriminals. This discovery raises urgent questions about the safety of connected cars and the personal data tied to them.
The significance of this breach cannot be overstated. Dealership systems are not just portals for sales; they are gateways to sensitive customer information, financial records, and even direct control over vehicles through telematics. With the automotive industry increasingly reliant on digital platforms, a single exploit can jeopardize privacy, safety, and trust on a massive scale. This story isn’t about one company’s misstep—it’s a glaring signal of systemic weaknesses that could impact millions of drivers and reshape how the industry approaches cybersecurity.
When Your Car Becomes a Hacker’s Key
Picture a scenario where a cybercriminal, sitting miles away, gains the power to unlock a vehicle and drive off without ever touching a key. Eaton Zveare, a researcher with Harness, demonstrated exactly this at DEF CON, exposing a critical flaw in a major automaker’s dealership platform. His findings showed that over 1,000 US dealerships were linked to a system vulnerable to remote exploitation, putting both cars and personal data at risk.
This isn’t a theoretical threat. Zveare’s research revealed that hackers could manipulate these systems to access vehicles manufactured as early as 2012, provided they had a standard telematics module. The ease of the exploit—requiring only basic information like a name or Vehicle Identification Number (VIN)—highlights a dangerous gap in security that could affect countless owners without their knowledge.
The implications extend beyond individual cars. The breach also exposed related portals, such as those managing loaner vehicles, where sensitive details like contracts and financial documents were left unprotected. This vulnerability paints a troubling picture of how deeply integrated, yet poorly secured, digital tools have become in the automotive world.
Why Dealership System Security Is Critical
In an era where cars are as much tech devices as they are modes of transport, the digital infrastructure supporting them has never been more vital. Dealership systems manage everything from sales transactions to remote vehicle access, handling a treasure trove of data that includes personal identities and payment information. A breach in this ecosystem doesn’t just leak data—it can directly compromise physical safety.
Cybercrime statistics underscore the urgency: according to industry reports, attacks on connected vehicles have surged by over 60% in the last two years alone, from 2023 to 2025. With automakers pushing for more online integration, the attack surface for hackers continues to expand. This isn’t a niche issue; it’s a growing risk that threatens the foundation of consumer confidence in an increasingly connected industry.
Beyond the numbers, the human cost looms large. A hacked vehicle could be used for theft, surveillance, or worse, endangering lives in ways that traditional car security measures can’t address. As digital platforms become the norm, ensuring their protection is no longer optional—it’s a fundamental responsibility for every stakeholder in the automotive sector.
Unpacking the Exploit: How Hackers Gain Control
Delving into Zveare’s findings, the mechanics of the exploit are both intricate and alarming. Despite the dealership platform requiring an invitation for registration, Zveare accessed the system by exploiting a flaw in the registration form. By manipulating a profile update feature and weaknesses in the system’s API, he crafted a ‘national admin’ account, granting full control over the platform without any legitimate credentials.
With this access, the possibilities for misuse were staggering. Using just a customer’s name or VIN, Zveare could locate a vehicle, transfer its ownership to a fabricated account, and then, through a mobile app, track its location, unlock the doors, and start the engine. This vulnerability potentially affects any model equipped with standard telematics since 2012, exposing a vast number of vehicles to remote tampering.
Further exploration uncovered even broader risks. Additional portals tied to the system, such as those for loaner cars, were equally insecure, offering access to personal data, financial records, and internal tracking tools for both customers and employees. Similar flaws have surfaced in systems used by other manufacturers like Honda and Toyota, suggesting that this isn’t an isolated failure but a pervasive weakness across the industry’s digital landscape.
Expert Perspectives: A Stark Warning for Automakers
Eaton Zveare didn’t mince words when discussing the severity of these flaws. “This goes beyond one automaker; it’s an industry-wide failure to secure dealer-manufacturer platforms,” he stated during his DEF CON presentation. His experiment, conducted on a friend’s vehicle with permission, proved how effortlessly ownership could be transferred and control seized—all without ever stepping near the car.
Industry analysts echo this concern, pointing to a pattern of remote hacking risks that have plagued multiple brands in recent years. Reports from cybersecurity firms indicate that over 70% of connected vehicle platforms lack adequate safeguards against such exploits. Zveare’s intent isn’t to point fingers but to ignite reform, acknowledging that while the affected automaker has since patched the flaws, the underlying issues remain unresolved across the sector.
His firsthand experience navigating these systems as an outsider reveals a sobering truth: the automotive industry is ill-prepared for the sophisticated cyberattacks of today. Without urgent action, these vulnerabilities could become a gateway for widespread harm, undermining the trust that customers place in both vehicles and the companies behind them.
Securing the Road Ahead: Steps to Protect Automotive Systems
Addressing these vulnerabilities demands immediate and comprehensive measures tailored to the unique challenges of automotive digital platforms. First, access controls must be fortified with multi-factor authentication and strict vetting processes to prevent unauthorized entry through API exploits or profile manipulations. Such barriers could significantly reduce the risk of breaches like the one Zveare uncovered.
Telematics security also requires urgent attention. Automakers should prioritize encrypting remote access features and limit app-based controls to verified users only, alongside regular software updates to address emerging threats. Additionally, dealership systems need frequent, independent security audits to catch and fix flaws before they can be exploited, with a strong emphasis on safeguarding customer and employee data.
Collaboration across the industry offers the most promising path forward. Automakers, dealerships, and cybersecurity experts must unite to establish universal standards for digital platforms, learning from incidents like this to build stronger defenses. Consumers, too, can drive change by demanding transparency on data protection when buying or servicing vehicles, pushing companies to prioritize security over convenience in an ever-connected landscape.
Looking back, the exposure of these dealership system flaws by Eaton Zveare served as a pivotal moment for the automotive industry. It forced a reckoning with the reality that digital integration, while innovative, had outpaced security measures at a dangerous cost. The steps taken by the affected automaker to patch the vulnerabilities marked a start, but the broader challenge lingered unresolved. Moving forward, the industry had to commit to rigorous standards, continuous audits, and a culture of proactive defense to ensure that vehicles remained safe havens, not targets for cybercriminals. Only through sustained effort could trust be rebuilt and the road to a secure future paved.
