Latest news with #Harness
Yahoo
6 days ago
- Automotive
- Yahoo
Hacker Says He Discovered a Way to Remotely Unlock, Fire Up One Carmaker's Vehicles
A new vulnerability that could have exposed customer vehicles to control certain vehicle functions, track vehicles and view the personal and financial data of said vehicles' owners was just detailed by a security researcher at the DEF CON hacking conference in Las Vegas. This story, initially reported by TechCrunch, summarized the research done by Eaton Zveare, a researcher at software company Harness. What car company does this specifically affect? Zveare didn't reveal the automaker, only saying that it's a widely-known car maker with popular sub-brands. Theoretically, that means a lot of vehicles would have been vulnerable to this attack had it come from a malicious actor. Thankfully, Zveare reported the vulnerability, and has since heard from the company that it's been addressed. But how was this possible in the first place? Zveare says he found his access point in the automaker's online dealership portal. Security flaws in the portal's login system allowed him to bypass the login entirely and create a 'national admin' account that effectively gave him administrator access. With this access, Zveare was able to use the portal's user look-up tool to pair any vehicle with a mobile app account. Many vehicle apps these days allow you to remotely unlock or lock a car, remotely start it, look up its location, and more; all Zveare needed was a person's first and last name to find a potential target, then it was open season. And even if he didn't know a name off-hand, knowing the VIN was perfectly effective at looking up names in the portal. He tested his theory using a friend's car, transferring ownership of the app's account to himself, allowing him all the privileges his friend had previously via his app. Zveare said he did not test whether he could drive the vehicle away, but the access granted could've put personal belongings and data in the hands of bad actors. As we said, this vulnerability is no longer present within the automaker's dealer portal, and said automaker confirmed to Zveare that it hasn't detected any suspicious access to its portal outside of Zveare's own hacking. That should mean that customers are safe today, but it's just another reminder of the potential pitfalls present with today's connected cars. You Might Also Like You Need a Torque Wrench in Your Toolbox Tested: Best Car Interior Cleaners The Man Who Signs Every Car
Yahoo
11-08-2025
- Automotive
- Yahoo
Security flaws in a carmaker's web portal let one hacker remotely unlock cars from anywhere
A security researcher said flaws in a carmaker's online dealership portal exposed the private information and vehicle data of its customers, and could have allowed hackers to remotely break into any of its customers' vehicles. Eaton Zveare, who works as a security researcher at software delivery company Harness, told TechCrunch the flaw he discovered allowed the creation of an admin account that granted 'unfettered access' to the unnamed carmaker's centralized web portal. With this access, a malicious hacker could have viewed the personal and financial data of the carmaker's customers, track vehicles, and enroll customers in features that allow owners — or the hackers — control some of their car's functions from anywhere. Zveare said he doesn't plan on naming the vendor, but said it was a widely known automaker with several popular sub-brands. In an interview with TechCrunch ahead of his talk at the Def Con security conference in Las Vegas on Sunday, Zveare said the bugs put a spotlight on the security of these dealership systems, which grant their employees and associates broad access to customer and vehicle information. Zveare, who has found bugs in carmakers' customer systems and vehicle management systems before, found the flaw earlier this year as part of a weekend project, he told TechCrunch. He said while the security flaws in the portal's login system was a challenge to find, once he found it, the bugs let him bypass the login mechanism altogether by permitting him to create a new 'national admin' account. The flaws were problematic because the buggy code loaded in the user's browser when opening the portal's login page, allowing the user — in this case, Zveare — to modify the code to bypass the login security checks. Zveare told TechCrunch that the carmaker found no evidence of past exploitation, suggesting he was the first to find it and report it to the carmaker. When logged in, the account granted access to more than 1,000 of the carmakers' dealers across the United States, he told TechCrunch. 'No one even knows that you're just silently looking at all of these dealers' data, all their financials, all their private stuff, all their leads,' said Zveare, in describing the access. Zveare said one of the things he found inside the dealership portal was a national consumer lookup tool that allowed logged-in portal users to look-up the vehicle and driver data of that carmaker. In one real-world example, Zveare took a vehicle's unique identification number from the windshield of a car in a public parking lot and used the number to identify the car's owner. Zveare said the tool could be used to look-up someone using only a customer's first and last name. With access to the portal, Zveare said it was also possible to pair any vehicle with a mobile account, which allows customers to remotely control some of their car's functions from an app, such as unlocking their cars. Zveare said he tried this out in a real-world example using a friend's account and with their consent. In transferring ownership to an account controlled by Zveare, he said the portal requires only an attestation — effectively a pinky promise — that the user performing the account transfer is legitimate. 'For my purposes, I just got a friend who consented to me taking over their car, and I ran with that,' Zveare told TechCrunch. 'But [the portal] could basically do that to anyone just by knowing their name — which kind-of freaks me out a bit — or I could just look up a car in the parking lots.' Zveare said he did not test whether he could drive away, but said the exploit could be abused by thieves to break into and steal items from vehicles, for example. Another key problem with access to this carmaker's portal was that it was possible to access other dealer's systems linked to the same portal through single sign-on, a feature that allows users to login into multiple systems or applications with just one set of login credentials. Zveare said the carmaker's systems for dealers are all interconnected so it's easy to jump from one system to another. With this, he said, the portal also had a feature that allowed admins, such as the user account he created, to 'impersonate' other users, effectively allowing access to other dealer systems as if they were that user without needing their logins. Zveare said this was similar to a feature found in a Toyota dealer portal discovered in 2023. 'They're just security nightmares waiting to happen,' said Zveare, speaking of the user-impersonation feature. Once in the portal Zveare found personally identifiable customer data, some financial information, and telematics systems that allowed the real-time location tracking of rental or courtesy cars, as well as cars being shipped across the country, and the option to cancel them — though, Zveare didn't try. Zveare said the bugs took about a week to fix in February 2025 soon after his disclosure to the carmaker. 'The takeaway is that only two simple API vulnerabilities blasted the doors open, and it's always related to authentication,' said Zveare. 'If you're going to get those wrong, then everything just falls down.' Error while retrieving data Sign in to access your portfolio Error while retrieving data Error while retrieving data Error while retrieving data Error while retrieving data
TechCrunch
11-08-2025
- Automotive
- TechCrunch
Security flaws in a carmaker's web portal let one hacker remotely unlock cars from anywhere
A security researcher said flaws in a carmaker's online dealership portal exposed the private information and vehicle data of its customers, and could have allowed hackers to remotely break into any of its customers' vehicles. Eaton Zveare, who works as a security researcher at software delivery company Harness, told TechCrunch the flaw he discovered allowed the creation of an admin account that granted 'unfettered access' to the unnamed carmaker's centralized web portal. With this access, a malicious hacker could have viewed the personal and financial data of the carmaker's customers, track vehicles, and enroll customers in features that allow owners — or the hackers — control some of their car's functions from anywhere. Zveare said he doesn't plan on naming the vendor, but said it was a widely known automaker with several popular sub-brands. In an interview with TechCrunch ahead of his talk at the Def Con security conference in Las Vegas on Sunday, Zveare said the bugs put a spotlight on the security of these dealership systems, which grant their employees and associates broad access to customer and vehicle information. Zveare, who has found bugs in carmakers' customer systems and vehicle management systems before, found the flaw earlier this year as part of a weekend project, he told TechCrunch. He said while the security flaws in the portal's login system was a challenge to find, once he found it, the bugs let him bypass the login mechanism altogether by permitting him to create a new 'national admin' account. The flaws were problematic because the buggy code loaded in the user's browser when opening the portal's login page, allowing the user — in this case, Zveare — to modify the code to bypass the login security checks. Zveare told TechCrunch that the carmaker found no evidence of past exploitation, suggesting he was the first to find it and report it to the carmaker. When logged in, the account granted access to more than 1,000 of the carmakers' dealers across the United States, he told TechCrunch. 'No one even knows that you're just silently looking at all of these dealers' data, all their financials, all their private stuff, all their leads,' said Zveare, in describing the access. Zveare said one of the things he found inside the dealership portal was a national consumer lookup tool that allowed logged-in portal users to look-up the vehicle and driver data of that carmaker. In one real-world example, Zveare took a vehicle's unique identification number from the windshield of a car in a public parking lot and used the number to identify the car's owner. Zveare said the tool could be used to look-up someone using only a customer's first and last name. With access to the portal, Zveare said it was also possible to pair any vehicle with a mobile account, which allows customers to remotely control some of their car's functions from an app, such as unlocking their cars. Zveare said he tried this out in a real-world example using a friend's account and with their consent. In transferring ownership to an account controlled by Zveare, he said the portal requires only an attestation — effectively a pinky promise — that the user performing the account transfer is legitimate. 'For my purposes, I just got a friend who consented to me taking over their car, and I ran with that,' Zveare told TechCrunch. 'But [the portal] could basically do that to anyone just by knowing their name — which kind-of freaks me out a bit — or I could just look up a car in the parking lots.' Zveare said he did not test whether he could drive away, but said the exploit could be abused by thieves to break into and steal items from vehicles, for example. Another key problem with access to this carmaker's portal was that it was possible to access other dealer's systems linked to the same portal through single sign-on, a feature that allows users to login into multiple systems or applications with just one set of login credentials. Zveare said the carmaker's systems for dealers are all interconnected so it's easy to jump from one system to another. With this, he said, the portal also had a feature that allowed admins, such as the user account he created, to 'impersonate' other users, effectively allowing access to other dealer systems as if they were that user without needing their logins. Zveare said this was similar to a feature found in a Toyota dealer portal discovered in 2023. 'They're just security nightmares waiting to happen,' said Zveare, speaking of the user-impersonation feature. Once in the portal Zveare found personally identifiable customer data, some financial information, and telematics systems that allowed the real-time location tracking of rental or courtesy cars, as well as cars being shipped across the country, and the option to cancel them — though, Zveare didn't try. Zveare said the bugs took about a week to fix in February 2025 soon after his disclosure to the carmaker. 'The takeaway is that only two simple API vulnerabilities blasted the doors open, and it's always related to authentication,' said Zveare. 'If you're going to get those wrong, then everything just falls down.'
31-07-2025
- Sport
100th running of the Hambletonian marks a century of the biggest event in harness racing
Growing up in a family of horsemen in Ontario, John Campbell knew how prestigious the Hambletonian was. Then he saw good friend Ray Remmen win the first to take place at the Meadowlands in 1981. 'It was beyond a big deal,' Campbell said. 'It was something special.' On Saturday, the biggest event in harness racing celebrates a centennial anniversary with the 100th running of Hambletonian. While harness racing, like its thoroughbred equivalent, no longer holds the same prominence it once did in the U.S. sporting landscape, the storied history of the Hambletonian and its evolution to grow interest in Europe are responsible for its longevity. 'To have this big event still going on 100 years, it's something that I'm sure they didn't even envision when it was formed,' said Campbell, a Harness Racing Hall of Fame driver who won the Hambletonian a record six times and participated a record 32 consecutive times from 1983-2014. 'It's the consistency of it. They raced it no matter what, through the Depression, through World War II, so it was always there.' Campbell is now president and CEO of the Hambletonian Society that has shepherded the race named for the founding sire of standardbred horses through changing times. The purse is the sport's richest at $1 million, a long way from the nearly $75,000 on the line during the inaugural rendition in 1926 at the New York State Fair in Syracuse. The Hambletonian bounced around to Lexington, Kentucky; Goshen, New York and Du Quoin, Illinois, before finding a home in East Rutherford, New Jersey. 'Even during the war, they did have to because of gas rationing take it to Yonkers,' said Tom Charters, who worked at the Hambletonian Society from 1984-2017, including a lengthy stint as president. 'That's part of the charm of it, I think: the multiple venues and where it's gone and where it's been.' Another charm? The winning horse gets to drink out of the trophy. That is something Charters saw pictures of and made sure would become part of the Hambletonian ceremony — with the name of the race and the horse logo always facing the cameras. 'It's become as symbolic as drinking milk at Indianapolis, for me, anyway,' Charters said, referring to the Indy 500 tradition. Campbell has his favorite memories, notably, he said, 'Winning." His first victory with Mack Lobell in 1987 and winning with Tagliabue— trained by his brother, Jim, and named after longtime NFL Commissioner Paul Tagliabue — in '95 stand out as special, along with 2006 with Glidemaster to revitalize his career after injury. Chris McErlean, who worked at the Meadowlands from 1992-2007, remembers filly Continentalvictory beating the colts in '96, amateur Malvern Burroughs winning with Malabar Man in '97 and Swedish owner/trainer/driver Stefan Melander taking the race in 2000 with Scarlet Knight following efforts to encourage European participation. 'It made it a big international sensation,' McErlean said. "He had a lot of international interest.' It has garnered so much interest across Scandinavia and even France that of the 10 horses in the Hambletonian this year, nine have European trainers. Moira Fanning, who has worked at the society since 1987 and has been chief operating officer since 2017, expects more than $9 million to be wagered worldwide on the 100th Hambletonian. Fanning credits crossover horse betting from Saratoga Race Course and national television for keeping the event in the spotlight internationally, even though the on-track attendance is now expected to be 8,000-10,000. At its height in 2005, a crowd of 31,000 packed the old Meadowlands — and the current limit is roughly a third of that. 'Harness racing is a niche kind of regional sport. It has lost ground. Tracks have closed,' Fanning said. 'Racing had a wonderful 200-year gambling monopoly that it no longer has, so it has taken a lot of work to keep it prominent and keep it on national TV and keep the big days big.' Essentially the Kentucky Derby of the harness world, Fanning said the Hambletonian might be the one trotters race known in the mainstream public. Inside the industry, it remains a big deal and something special. 'Even though the sport in general's been challenged and it maybe is not at the peaks it used to be, the Hambletonian is still the biggest thing, the biggest prize out there,' McErlean said. 'It almost has as much international cache as it does prominence over here because of its longstanding history and being the richest race, being the biggest race on the calendar.'
Winnipeg Free Press
31-07-2025
- Sport
- Winnipeg Free Press
100th running of the Hambletonian marks a century of the biggest event in harness racing
Growing up in a family of horsemen in Ontario, John Campbell knew how prestigious the Hambletonian was. Then he saw good friend Ray Remmen win the first to take place at the Meadowlands in 1981. 'It was beyond a big deal,' Campbell said. 'It was something special.' On Saturday, the biggest event in harness racing celebrates a centennial anniversary with the 100th running of Hambletonian. While harness racing, like its thoroughbred equivalent, no longer holds the same prominence it once did in the U.S. sporting landscape, the storied history of the Hambletonian and its evolution to grow interest in Europe are responsible for its longevity. 'To have this big event still going on 100 years, it's something that I'm sure they didn't even envision when it was formed,' said Campbell, a Harness Racing Hall of Fame driver who won the Hambletonian a record six times and participated a record 32 consecutive times from 1983-2014. 'It's the consistency of it. They raced it no matter what, through the Depression, through World War II, so it was always there.' Campbell is now president and CEO of the Hambletonian Society that has shepherded the race named for the founding sire of standardbred horses through changing times. The purse is the sport's richest at $1 million, a long way from the nearly $75,000 on the line during the inaugural rendition in 1926 at the New York State Fair in Syracuse. The Hambletonian bounced around to Lexington, Kentucky; Goshen, New York and Du Quoin, Illinois, before finding a home in East Rutherford, New Jersey. 'Even during the war, they did have to because of gas rationing take it to Yonkers,' said Tom Charters, who worked at the Hambletonian Society from 1984-2017, including a lengthy stint as president. 'That's part of the charm of it, I think: the multiple venues and where it's gone and where it's been.' Another charm? The winning horse gets to drink out of the trophy. That is something Charters saw pictures of and made sure would become part of the Hambletonian ceremony — with the name of the race and the horse logo always facing the cameras. 'It's become as symbolic as drinking milk at Indianapolis, for me, anyway,' Charters said, referring to the Indy 500 tradition. Campbell has his favorite memories, notably, he said, 'Winning.' His first victory with Mack Lobell in 1987 and winning with Tagliabue— trained by his brother, Jim, and named after longtime NFL Commissioner Paul Tagliabue — in '95 stand out as special, along with 2006 with Glidemaster to revitalize his career after injury. Chris McErlean, who worked at the Meadowlands from 1992-2007, remembers filly Continentalvictory beating the colts in '96, amateur Malvern Burroughs winning with Malabar Man in '97 and Swedish owner/trainer/driver Stefan Melander taking the race in 2000 with Scarlet Knight following efforts to encourage European participation. 'It made it a big international sensation,' McErlean said. 'He had a lot of international interest.' It has garnered so much interest across Scandinavia and even France that of the 10 horses in the Hambletonian this year, nine have European trainers. Moira Fanning, who has worked at the society since 1987 and has been chief operating officer since 2017, expects more than $9 million to be wagered worldwide on the 100th Hambletonian. Fanning credits crossover horse betting from Saratoga Race Course and national television for keeping the event in the spotlight internationally, even though the on-track attendance is now expected to be 8,000-10,000. At its height in 2005, a crowd of 31,000 packed the old Meadowlands — and the current limit is roughly a third of that. 'Harness racing is a niche kind of regional sport. It has lost ground. Tracks have closed,' Fanning said. 'Racing had a wonderful 200-year gambling monopoly that it no longer has, so it has taken a lot of work to keep it prominent and keep it on national TV and keep the big days big.' Essentially the Kentucky Derby of the harness world, Fanning said the Hambletonian might be the one trotters race known in the mainstream public. Inside the industry, it remains a big deal and something special. 'Even though the sport in general's been challenged and it maybe is not at the peaks it used to be, the Hambletonian is still the biggest thing, the biggest prize out there,' McErlean said. 'It almost has as much international cache as it does prominence over here because of its longstanding history and being the richest race, being the biggest race on the calendar.' ___ AP horse racing:
