How API flaws led to admin access to 1k+ USA dealers & control of yr car
Eaton Zveare
DEF CON 33 (backfill) · Day 1 · Main Stage
In an eye-opening presentation at DEF CON, security researcher Eaton Zveare unveiled a critical vulnerability chain that granted him national administrative access to the proprietary dealer system used by over a thousand automotive dealerships across the United States. This unprecedented access allowed Zveare to not only view extensive caches of sensitive Personal Identifiable Information (PII) for customers and employees but also, chillingly, remotely control vehicles by reassigning their ownership within the system. The talk highlighted how a series of seemingly minor API flaws, when chained together, could lead to a catastrophic compromise of an entire automotive ecosystem.
AI review
Zveare delivers a clean, well-executed vulnerability chain that turns a blank invite token into national admin access over 1,000+ dealerships, remote vehicle takeover, and PII for millions. The research is original, the demo is real, and the attack surface — automotive dealer backend systems — is genuinely underexplored. Not a 5 because the individual bugs are individually mundane; the novelty is in the target selection and the chain, not the techniques.