Presented at
DEF CON 33 (2025),
Aug. 10, 2025, 1 p.m.
(45 minutes).
Dealers are a vital part of the automotive industry – intentionally separate entities from the manufacturers, but highly interconnected. Most dealers use platforms built by the manufacturers that can be used to order cars, view/store customer information, and manage their day-to-day operations. Earlier this year, new vulnerabilities were discovered in a top automaker’s dealer platform that enabled the creation of a national admin account. This level of access, a privilege reserved for a select few corporate users, opened the door to a wide range of fun exploits.
Want to start a car? Forget VINs – all you needed was someone’s name. Access to the enrollment systems made it possible to reassign ownership of cars and access remote control functionality.
Want to find out who owns that sleek ride next to you? A quick glance at the VIN on the windshield was all you needed to pull down the owner’s personal information using the customer lookup tool.
Want to impersonate the owner of a dealership to gain full access to everything? A user impersonation function was uncovered that made this possible - negating all the two-factor authentication systems.
All of this and much more was made possible through API flaws in a centralized dealer system. A system used by more than 1,000 dealers in the USA that you didn’t even know existed. A system that you would never have thought would be the unexpected connection to your car. We break down the full exploit from recon to initial access, from viewing PII to the satisfying roar of an engine coming to life.
Presenters:
-
Eaton Zveare
- Senior Security Research Engineer at Traceable by Harness
Eaton is a senior security research engineer at Traceable by Harness. As a member of the ASPEN Labs team, he has contributed to the security of some of the world's largest organizations by finding and responsibly disclosing many critical vulnerabilities. He is best known for his high-profile security disclosures in the automotive space: [1](https://www.autonews.com/mobility-report/how-toyotas-supplier-portal-got-hacked), [2](https://www.autonews.com/mobility-report/hacker-accessed-toyotas-mexican-customers-information), [3](https://www.securityweek.com/customer-information-of-toyota-insurance-company-exposed-due-to-misconfigurations/).
-
Roshan Piyush
- Security Research at Traceable by Harness
Roshan Piyush leads Security Research at Traceable by Harness, where he also oversees Aspen Labs — Harness's dedicated initiative for advancing modern application and API security. He is at the forefront of developing next-generation security platforms that deliver deep protection across the software lifecycle, from code to runtime.
With over a decade of experience in cybersecurity and a recent focus on API security, Roshan researches cutting-edge detection and prevention techniques across CI/CD pipelines, software supply chains, runtime environments, and cloud-native architectures. His work powers enterprise-grade security solutions that help organizations stay ahead of evolving threats.
An active contributor to the open-source security community, Roshan has been involved with projects like OWASP crAPI and Coraza WAF. He frequently shares his insights through technical talks, tools, and collaborations, helping drive progress across the broader AppSec ecosystem.
Similar Presentations: