Eaton Zveare is a security researcher at the software delivery company Harness. He’s responsible for revealing major security vulnerabilities found within the central web interface for one specific car manufacturer’s model. This vulnerability allowed Zveare to add an admin account. As such, he was given untethered, high-level access to sensitive data on the buying patterns of more than 1,000 dealerships spread across the United States.
The alarming incident also calls into question the security standards adopted by the automobile maker. Based on information that Zveare has publicly shared, the vulnerabilities he found were due to two basic API flaws involving a lack of authentication checks. He emphasized, “The takeaway is that only two simple API vulnerabilities blasted the doors open, and it’s always related to authentication.”
Zveare’s investigation began when he stumbled upon the vulnerabilities while analyzing the carmaker’s web portal. She also testified about how, with access to the government’s admin account, he was able to sift through a treasure trove of sensitive material. This included sensitive financial information, dealer leads, and other proprietary information linked to the dealerships.
At WinterCon, Zveare demonstrated just how trivial it is to exploit these vulnerabilities. He grabbed one vehicle’s unique vehicle identification number (VIN) directly from the windshield of a car parked in a public parking garage. From this VIN, he was able to not only track down the car’s owner, but get additional background data on them.
Zveare discussed his unexpected findings with TechCrunch, underscoring the real-life consequences that these kinds of security oversights can have. He lamented that a lot of the stakeholders were still blindsided by just how easy it was to get their data. “No one even knows that you’re just silently looking at all of these dealers’ data, all their financials, all their private stuff, all their leads,” he stated.
The announcement comes as cybersecurity is a serious issue for all industries. As digital transformation accelerates, organizations are increasingly adopting online platforms for various services, making them vulnerable to potential attacks if not properly secured.
Ransomware is just one example of a growing need for comprehensive security practices to secure sensitive data from attackers. Such vulnerabilities can have a profound impact unique and acute to each individual dealership. They undermine serious consumer trust and data privacy concerns in the entire automotive sector.
