Two API Flaws That Could Unlock Your Car
At DEF CON 33, a researcher showed how two API authentication flaws in a centralised dealer portal for a top automaker enabled national admin access across 1,000+ US dealers. With weak VIN/name lookups and broken enrolment/pairing, attackers could remotely unlock/start cars, track location, and even transfer ownership silently.
This video breaks down the attack path, why centralisation magnifies risk, and what owners and teams can do: lock down dealer workflows, remove weak lookups, and harden API auth.
// YouTube video REFERENCE //
You’re privacy and security nightmare: https://youtu.be/lDdJLrxQg24
// David's SOCIAL //
Discord: https://discord.com/invite/usKSyzb
X: https://www.twitter.com/davidbombal
Instagram: https://www.instagram.com/davidbombal
LinkedIn: https://www.linkedin.com/in/davidbombal
Facebook: https://www.facebook.com/davidbombal.co
TikTok: http://tiktok.com/@davidbombal
YouTube: https://www.youtube.com/@davidbombal
Spotify: https://open.spotify.com/show/3f6k6gERfuriI96efWWLQQ
SoundCloud: https://soundcloud.com/davidbombal
Apple Podcast: https://podcasts.apple.com/us/podcast/david-bombal/id1466865532
// MY STUFF //
https://www.amazon.com/shop/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
// MENU //
0:00 - Coming Up
0:13 - Another example from Defcon 2025
0:24 - Flaws found in a carmaker's web portal
0:35 - What the hacker found
01:03 - The takeaway
01:21 - It's ridiculous that cars are connected this way
01:36 - Doxxing from parking lot
03:56 - Phishing on the dealer's dime
04:00 - Final takeaways
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
Disclaimer: This video is for educational purposes only.
#defcon #carhack #api
This video breaks down the attack path, why centralisation magnifies risk, and what owners and teams can do: lock down dealer workflows, remove weak lookups, and harden API auth.
// YouTube video REFERENCE //
You’re privacy and security nightmare: https://youtu.be/lDdJLrxQg24
// David's SOCIAL //
Discord: https://discord.com/invite/usKSyzb
X: https://www.twitter.com/davidbombal
Instagram: https://www.instagram.com/davidbombal
LinkedIn: https://www.linkedin.com/in/davidbombal
Facebook: https://www.facebook.com/davidbombal.co
TikTok: http://tiktok.com/@davidbombal
YouTube: https://www.youtube.com/@davidbombal
Spotify: https://open.spotify.com/show/3f6k6gERfuriI96efWWLQQ
SoundCloud: https://soundcloud.com/davidbombal
Apple Podcast: https://podcasts.apple.com/us/podcast/david-bombal/id1466865532
// MY STUFF //
https://www.amazon.com/shop/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
// MENU //
0:00 - Coming Up
0:13 - Another example from Defcon 2025
0:24 - Flaws found in a carmaker's web portal
0:35 - What the hacker found
01:03 - The takeaway
01:21 - It's ridiculous that cars are connected this way
01:36 - Doxxing from parking lot
03:56 - Phishing on the dealer's dime
04:00 - Final takeaways
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
Disclaimer: This video is for educational purposes only.
#defcon #carhack #api
David Bombal
Want to learn about IT? Want to get ahead in your career? Well, this is the right place!
On this channel, I discuss Linux, Python, Ethical Hacking, Networking, CCNA, Virtualization and other IT related topics.
This YouTube channel has new videos upload...