Hack into dealership software to access ~9 million car owners: a new and deadly way to steal cars. π¨βπΌπ΄ββ οΈππ
Security researcher Eaton Zveare last week shared his research on hacking dealership software in the US. Using this software, he was able not only to steal commercial and technical information, but also to track newly sold cars and take over personal accounts for cars already owned (!).
The trick is clever and simple: the car manufacturer has a procedure for transferring car ownership in mobile apps (which contain location data, door unlock commands, and more). Car manufacturers rely on dealerships as trusted partners to confirm the authenticity of the transfer.
Once a hacker has access to the dealership's system, she can initiate the transfer of any car with just the VIN and some details of the previous owner. See slides 27β36 for more details.
Super interesting research, and definitely a new attack vector. Apparently, we need Zero Trust between car manufacturers and dealerships.
Enjoy the slides, and share them with your colleagues and teams who work in the automotive industry or at dealerships. It's time to adapt - fast!
More details:
UNEXPECTED CONNECTIONS: How a vulnerability in obscure dealer software could have unlocked your car from anywhere [PDF, 2025]: https://media.defcon.org/DEF%20CON%2033/DEF%20CON%2033%20presentations/Eaton%20Zveare%20Roshan%20Piyush%20-%20Unexpected%20Connections%20How%20a%20vulnerability%20in%20obscure%20dealer%20software%20could%20have%20unlocked%20your%20car%20from%20anywhere.pdf
