Based on the research presented at DEF CON 33, Eaton Zveare, a senior security research engineer at Traceable, revealed significant vulnerabilities in automotive dealer platforms that could allow remote car hacking and extensive data theft.
Zveare presented his findings on August 10, 2025, at DEF CON 33 in Las Vegas, with a talk titled “Unexpected Connections: How a vulnerability in obscure dealer software could have unlocked your car from anywhere”. His presentation at the Car Hacking Village detailed how API flaws in a top automaker’s dealer platform enabled the creation of a national admin account. With that level of access, he demonstrated that remotely taking over vehicles was “only the tip of the iceberg” of potential exploitation.
Key Vulnerability Findings
The research focused on centralized dealer platforms used by major automotive manufacturers in the USA for sales, service, and marketing operations. Zveare discovered that the interconnectivity of various systems, while convenient for management, creates significant security risks when vulnerabilities are present in any component of the network.
The vulnerabilities could potentially allow attackers to:
- Remotely access and control customer vehicles
- Steal vast amounts of personal and vehicle data
- Gain administrative access to dealer systems nationwide
Zveare’s Track Record in Automotive Security
Zveare has established himself as a leading researcher in automotive cybersecurity through several high-profile discoveries:
Honda Vulnerabilities (2023)
Zveare previously discovered critical flaws in Honda’s ecommerce platform for power equipment, marine, and lawn & garden products. The vulnerabilities included:
- A password reset API flaw that allowed unauthorized access to any account
- Insecure direct object references (IDOR) enabling access to all dealer data
- Exposure of over 21,000 customer orders from 2016 to 2023
- Access to 1,500 dealer websites that could be modified
- Potential access to payment service private keys for PayPal, Stripe, and Authorize.net
Toyota Vulnerabilities (2022-2023)
Zveare also uncovered multiple security issues in Toyota’s systems:
- Backdoor access to Toyota’s Global Supplier Preparation Information Management System (GSPIMS)
- Access to data from over 14,000 corporate users and 3,000 suppliers worldwide
- Vulnerabilities in Toyota’s Customer 360 CRM platform exposing Mexican customer data
Industry Response and Impact
Honda responded promptly to Zveare’s disclosure, immediately addressing the issues and thanking him for his work, though the company doesn’t operate a bug bounty program. Toyota similarly patched the vulnerabilities in their systems within weeks of disclosure.
Upcoming Detailed Disclosure
As mentioned in the query, Zveare told SecurityWeek that he plans to publish a comprehensive blog post detailing his latest DEF CON findings. Based on his previous disclosures published on his website (eaton-works.com), this upcoming post will likely provide technical details about the exploitation methods and the full scope of data that could be accessed through these vulnerabilities.
