Remember those fancy digital license plates that California started testing a few years ago? The cool connected plates manufactured by Reviver feature e-ink displays, making them sip power while still being able to show custom messages and share location data in case a vehicle is stolen. After years of testing, the state officially legalized the tech in October, allowing any consumer in the state to run the plate instead of the traditional DMV-issued stamped metal version.
Well, being a connected device that can transmit and receive data, the license plate of the future caught the attention of security researcher Sam Curry. After some probing and prodding, Curry and several other researchers found their way into the backend of the Reviver’s systems and could access the location data of any user with a digital license plate.
Reviver’s RPlate is available in a wired or wireless model that costs $19.95 per month or $24.95 per month, respectively. It offers the ability to renew vehicle registration, customize a message displayed on the license plate, switch between “light” and “dark” modes, provide telematic data, and even mark a vehicle as stolen to display a message on the plate for others to see. All of these actions are done remotely through an app or via the company’s website.
On top of having “secure cloud communication,” Reviver says that its information privacy is “ensured through a rigorous security protocol system.” So how exactly was a team of security researchers able to foil the security of a state-vetted tech company?
Curry and other researchers described in a blog post how they discovered the vulnerability by intercepting traffic between themselves and Reviver’s website. The team created a user account like any other person interested in purchasing a plate would do. They then performed a simple password reset on the account and observed functionality that suggested they could escalate the account’s rights and roles within Reviver’s system. The team was able to do exactly that by injecting a simple JavaScript string into the website’s user-facing front end. This simple change allowed the account to have the permissions and functionality of a corporate account, effectively giving the account the ability to manage fleets and invite other users with elevated permissions.
Using the same technique (injecting JavaScript), they could elevate the account to have an administrator role. This allowed the account to send specially crafted Application Programming Interface (API) messages to the website to view information about other accounts.
By the end of the day, the researchers could quickly view vehicle location data, add new users to accounts, and even update the text and default images on the digital license plates belonging to other customers and even new car dealerships.
Curry and his team reported the vulnerability directly to Reviver after finding it. The digital plate company said that it patched the vulnerabilities within 24 hours, effectively disabling any bad actors from repeating the same type of attack and protecting user and location data from being unintentionally leaked.
In a world where connectivity is taking direct aim at the cars we drive every day (and the tech surrounding them), security should be a concern. Reviver’s system is reportedly no longer at risk for this type of attack, but it shows how easily bad actors could worm their way into just about anything—including license plates and even digital driver’s licenses.
Got a tip or question for the author? Contact them directly: rob@thedrive.com