Hackers Exploited California’s Fancy Digital License Plates to Locate Cars
Security researchers were able to view location and customer data just by elevating their own account.
Remember those fancy digital license plates that California started testing a few years ago? The cool connected plates manufactured by Reviver feature e-ink displays, making them sip power while still being able to show custom messages and share location data in case a vehicle is stolen. After years of testing, the state officially legalized the tech in October, allowing any consumer in the state to run the plate instead of the traditional DMV-issued stamped metal version.
Well, being a connected device that can transmit and receive data, the license plate of the future caught the attention of security researcher Sam Curry. After some probing and prodding, Curry and several other researchers found their way into the backend of the Reviver's systems and could access the location data of any user with a digital license plate.
Reviver's RPlate is available in a wired or wireless model that costs $19.95 per month or $24.95 per month, respectively. It offers the ability to renew vehicle registration, customize a message displayed on the license plate, switch between "light" and "dark" modes, provide telematic data, and even mark a vehicle as stolen to display a message on the plate for others to see. All of these actions are done remotely through an app or via the company's website.
On top of having "secure cloud communication," Reviver says that its information privacy is "ensured through a rigorous security protocol system." So how exactly was a team of security researchers able to foil the security of a state-vetted tech company?
By the end of the day, the researchers could quickly view vehicle location data, add new users to accounts, and even update the text and default images on the digital license plates belonging to other customers and even new car dealerships.
Curry and his team reported the vulnerability directly to Reviver after finding it. The digital plate company said that it patched the vulnerabilities within 24 hours, effectively disabling any bad actors from repeating the same type of attack and protecting user and location data from being unintentionally leaked.
In a world where connectivity is taking direct aim at the cars we drive every day (and the tech surrounding them), security should be a concern. Reviver's system is reportedly no longer at risk for this type of attack, but it shows how easily bad actors could worm their way into just about anything—including license plates and even digital driver's licenses.
Got a tip or question for the author? Contact them directly: email@example.com