(DEF CON 33) How I hacked over 1,000 car dealerships across the US
Earlier this year, I discovered new vulnerabilities in a top automaker’s centralized dealer platform. The impact of the vulnerabilities was so profound that I decided to submit a CFP to DEF CON 33 (my first ever). It was accepted, and I gave my presentation at the DEF CON main stage on August 10, 2025 in Las Vegas to a packed audience. A similar talk was also given at the Car Hacking Village. These are new vulnerabilities that were officially revealed at DEF CON 33 and were not publicized anywhere else prior. It was a featured exclusive on TechCrunch most of the day.
There were essentially 2 vulnerabilities:
- Missing invite token verification on an invite-only centralized dealer portal.
- Missing privilege check in the internal account creation system. As a result, you could make a national admin account.
The national admin account made it possible to gain complete control over the systems of more than 1,000 car dealerships in the US. All the sales, finances, customer info, leads, and even car ordering systems were at my fingertips. Most importantly, it was possible to take control over any customer car. There was so much I had access to that listing them all here would be like a CVS receipt.
Now for the details! Click the image below to view the slide deck on the DEF CON media server, and you can view the presentation in full on the DEF CON Conference’s official YouTube channel.
Slide Deck:
