{"id":162183,"date":"2025-08-11T21:18:02","date_gmt":"2025-08-11T21:18:02","guid":{"rendered":"https:\/\/teknomers.com\/en\/unlocking-the-car-via-mobile-offers-convenience-but-a-recent-failure-revealed-that-we-might-not-be-the-only-ones-with-access\/"},"modified":"2025-08-11T21:18:05","modified_gmt":"2025-08-11T21:18:05","slug":"unlocking-the-car-via-mobile-offers-convenience-but-a-recent-failure-revealed-that-we-might-not-be-the-only-ones-with-access","status":"publish","type":"post","link":"https:\/\/teknomers.com\/en\/unlocking-the-car-via-mobile-offers-convenience-but-a-recent-failure-revealed-that-we-might-not-be-the-only-ones-with-access\/","title":{"rendered":"Unlocking the car via mobile offers convenience, but a recent failure revealed that we might not be the only ones with access."},"content":{"rendered":"\n<p>Imagine that it\u2019s enough to look at the \u00a0windshield\u00a0 of a car to score its \u00a0frame number\u00a0\u2014a 17-character code visible from outside. By entering it into an internal tool, one could find out the name of the \u00a0owner\u00a0 and link that vehicle to a \u00a0mobile account\u00a0. From there, it would be possible to \u00a0unlock the doors\u00a0 remotely via an official app, without touching a lock or forcing anything.<\/p>\n<p><!-- BREAK 1 --> <\/p>\n<p>That is precisely what a cybersecurity \u00a0researcher\u00a0 demonstrated after accessing the internal portal used by dealers of a \u00a0large car brand\u00a0. This incident doesn\u2019t involve an attack on users or public servants, but rather a \u00a0vulnerability\u00a0 within the business platform that connects the manufacturer with its sales network. A backdoor that grants access to \u00a0connected functions\u00a0 and personal data.<\/p>\n<p><!-- BREAK 2 --><\/p>\n<h2>The Failure Was Not in the Car, But in the Chain That Unites Everything<\/h2>\n<p>Behind this unsettling finding is \u00a0Eaton Zveare\u00a0, a researcher who has been tracking vulnerabilities in digital platforms of major brands, especially in the automobile sector. This time was no different. Zveare discovered that the internal web portal of a \u00a0well-known car brand\u00a0 allowed modifications to system behavior directly from the browser. Specifically, he managed to alter the login page code to skip security checks and create an \u00a0administrator account\u00a0 with national privileges. This account provided access to over 1,000 dealerships across the United States.<\/p>\n<p><!-- BREAK 3 -->  <\/p>\n<p>At this point, the \u00a0scope of the problem\u00a0 drastically changed. It was no longer just about accessing internal resources of a dealership; the account created granted access to the \u00a0entire system\u00a0. Zveare could view data for all \u00a0connected dealerships\u00a0, impersonate other users, and most alarmingly, access tools that allowed him to consult \u00a0information about vehicles and their owners\u00a0. This was all possible from a platform intended solely for industry professionals.<\/p>\n<p><!-- BREAK 4 --><\/p>\n<p>Zveare did not force any entry, nor did he install malicious software or launch an external attack. What he discovered was an inadequately secured entry point within a legitimate system. More worrying is that this entry not only permitted him access but provided a suite of tools that should not have been accessible so effortlessly.<\/p>\n<p><!-- BREAK 5 --><\/p>\n<div class=\"article-asset-image article-asset-normal article-asset-center\">\n<div class=\"asset-content\">\n<p>     <img decoding=\"async\" alt=\"Hacker\" class=\"centro_sinmarco\" src=\"https:\/\/teknomers.com\/en\/wp-content\/uploads\/2025\/08\/Unlocking-the-car-via-mobile-offers-convenience-but-a-recent.png\"\/>\n   <\/div>\n<\/div>\n<p>In the \u00a0United States\u00a0, laws regulating vehicle sales vary by state, but they share a fundamental principle: in most instances, \u00a0manufacturers cannot sell new cars directly to consumers\u00a0. They must go through independent dealerships, which are legally safeguarded against direct competition from the manufacturer. This has led to a \u00a0franchised network structure\u00a0 that consolidates thousands of sales and after-sales points.<\/p>\n<p><!-- BREAK 6 --> <\/p>\n<p>Tesla has tried to break away from this model and sell directly, but it has not proven easy. While it has succeeded in a few states, many others still impose legal restrictions that prevent it from selling or delivering vehicles directly. Tesla&#8217;s circumstance is the most visible exception, but it is certainly not the norm.<\/p>\n<p><!-- BREAK 7 --><\/p>\n<p>The most concerning aspect is not merely that this system displayed confidential information. The serious issue is that it allowed actions with \u00a0high privileges\u00a0, as if one were part of the official manufacturer structure. This meant it was possible to impersonate the identities of other employees, intervene in registered vehicles throughout the nation, or access functionalities intended only for authorized technicians.<\/p>\n<p><!-- BREAK 8 --><\/p>\n<div class=\"article-asset-summary article-asset-normal article-asset-center\">\n<div class=\"asset-content\">\n<p>The portal was designed to facilitate actions within the dealer network, not to resist \u00a0malicious access from within\u00a0.<\/p>\n<\/p><\/div>\n<\/div>\n<p>As previously mentioned, each car has a unique \u00a0frame number\u00a0. This code consists of 17 characters\u2014both letters and numbers\u2014that legally identify the vehicle worldwide.<\/p>\n<p><!-- BREAK 9 --><\/p>\n<p>What the average driver likely does not realize is that this code is visible from the outside, located at the base of the windshield. In the context of this case, it served as the key to access. In a real test, \u00a0Zveare entered a visible VIN from the outside\u00a0 and obtained the name of the owner. Moreover, through the portal, it was also possible to link the vehicle to a new mobile account.<\/p>\n<p><!-- BREAK 10 --> <\/p>\n<p>Zveare did not attempt to drive any vehicles or alter their physical configurations. However, with the level of control he possessed, it would have been entirely possible to unlock vehicles remotely and empty their interiors.<\/p>\n<p><!-- BREAK 11 --><\/p>\n<p>Currently, \u00a0the name of the affected manufacturer has not been disclosed\u00a0. While the researcher is aware of the brand behind the compromised portal, he chose not to mention it in his report or during his defense presentation. Similarly, TechCrunch, the first media outlet to cover the story, has also refrained from revealing the identity of the manufacturer.<\/p>\n<p><!-- BREAK 12 --><\/p>\n<div class=\"article-asset article-asset-normal article-asset-center\">\n<div class=\"desvio-container\">\n<div class=\"desvio\">\n<div class=\"desvio-figure js-desvio-figure\">\n     <img loading=\"lazy\" decoding=\"async\" alt=\"Tesla's Collapse in Europe Brings Bad News\" width=\"375\" height=\"142\" src=\"https:\/\/teknomers.com\/en\/wp-content\/uploads\/2025\/08\/Unlocking-the-car-via-mobile-offers-convenience-but-a-recent.jpeg\"\/>\n   <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n<p>This is not an unusual practice. In certain cases, researchers opt to maintain the anonymity of the involved company for prudence\u2019s sake, even after the vulnerability has been resolved, to avoid endangering third parties: dealerships, employees, or customers who continue to rely on that system. The fact that the compromised platform granted access to entire networks rather than just isolated servers may also have influenced this decision.<\/p>\n<p><!-- BREAK 13 --><\/p>\n<p>Images | Xataka with Gemini 2.5 Flash<\/p>\n<p>In Xataka | Bugatti decided not to put speakers in a car of four million euros. His secret is a technique of 1881.<\/p>\n<p><br \/>\n<br \/><a href=\"https:\/\/teknomers.com\/category\/general\/\" rel=\"dofollow\">General News &#8211; 2<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Imagine that it\u2019s enough to look at the \u00a0windshield\u00a0 of a car to score its \u00a0frame number\u00a0\u2014a 17-character code visible from outside. By entering it into an internal tool, one could find out the name of the \u00a0owner\u00a0 and link that vehicle to a \u00a0mobile account\u00a0. From there, it would be possible to \u00a0unlock the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":162184,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36399],"tags":[286,475,11577,1615,385,2563,4655,40387],"class_list":["post-162183","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-access","tag-car","tag-convenience","tag-failure","tag-mobile","tag-offers","tag-revealed","tag-unlocking"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/posts\/162183","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/comments?post=162183"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/posts\/162183\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/media\/162184"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/media?parent=162183"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/categories?post=162183"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/tags?post=162183"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}