Critical Flaw in Carmaker Portal Lets Hackers Unlock Cars Remotely

In a startling revelation at DEF CON 33, security researcher Eaton Zveare demonstrated how a critical vulnerability in a leading automaker’s dealer management platform could be exploited to fully commandeer connected vehicles.

The flaw, residing in an AngularJS/SAP Java application used by authorized dealers, allowed an attacker to bypass invite-token validation, gain national admin privileges, and ultimately unlock and start cars remotely.

Silent Registration Bypass via Hidden HTML Form

Zveare discovered that the dealer portal’s invite-only registration relied on a server-side token check, but the invite token wasn’t enforced on the backend.

By unmasking a hidden <div id="MySecretRegForm"> and setting its CSS display property to blockHe displayed the registration form and submitted it with an empty Invite_Token parameter.

The vulnerable POST endpoint (https://dealer-mothership.com/create-dealer-account) accepted Invite_Token= without validation, enabling any attacker to create a dealer account.

Once registered, limited session cookies (JSESSIONID) were established only after invoking the “Profile update” API, providing access to JS-heavy pages that exposed internal Angular modules and API endpoints.

Through Chrome Local Overrides, Zveare patched client-side checks—commenting out access-denied popups and commonUtil.checkStateValid logic—to unlock the admin user management panel.

National Admin Creation and API Weaknesses

Within the Angular module .adminl.userManagement, Zveare located the createUser API call that lacked authorization checks.

By supplying crafted JSON payloads for fields such as UserType, CompanyCode, and AccessRights, he created a “National” admin account with full privileges (Access_Level = National, Access_Right = SuperAdmin).

This account could query thousands of dealers via GET /api/adminl_inExUserSearch, enumerate dealer codes, and list consumer records.

The attacker then leveraged the Consumer Information Update feature—originally meant to correct address or phone data—to initiate VIN-based enrollment for a new account.

Submitting a VIN triggers a backend process that “removes existing connections” and assigns the vehicle to the attacker-controlled profile.

By inputting odometer readings and confirming ownership via deceptive UI prompts, Zveare successfully transferred control of his friend’s car, then used the OEM mobile app’s remote start and unlock APIs to verify the exploit.

Broad Implications and Responsible Disclosure

Affected vehicles dating back to model year 2012 with standard telematics modules are at risk. Zveare’s timeline shows the issue was reported on February 3, patches were deployed by February 11, and publicly disclosed at DEF CON 33 on August 10, 2025.

His findings underscore the peril of interconnected dealer ecosystems, where an obscure Angular/React front end and lax API validations can expose critical telematics functions.

Automakers and third-party vendors must enforce strict server-side token checks, role-based API authorization, and code reviews for frontend overrides to safeguard owner privacy and vehicle security.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post Critical Flaw in Carmaker Portal Lets Hackers Unlock Cars Remotely appeared first on Cyber Security News.