Only a few months after they oofficially became availablea security researcher and his friends have managed to pwn California’s new digital license plates.
Yes, for the past several years, Cali has been on a weird mission to digitize its car tags. Advocates claim that this modernization effort will offer a host of benefits to drivers, including “visual personalization” and easy in-app registration renewal, but security experts have long warned that if you hook your plates up to the web, somebody will inevitably try to mess with them.
Now, only a few months after the California legislature passed a law to legalize digital platesthat’s exactly what happened.
In a blog post published last week, bug hunter Sam Curry noted that he and his friends had recently managed to attain “full super administrative access” to all of the user accounts linked to Reviverthe company responsible for selling California’s modernized plates.
Reviver sells a thing called the RPlate, or a “smart plate.” Basically, it’s a battery-powered digital display that gets affixed to a vehicle’s rear and then projects the car’s information. The plate allows users to share different graphics and words on the plate, and also comes with an app that includes car monitoring and safety features. The going rate for one of these things, which are also available in Arizona and Michigan, is $20 a month, according to Reviver’s website.
Unfortunately, Reviver’s pricy, hi-tech solution also comes with some hi-tech problems. Curry and his friends investigated the Reviver app and website, discovering a vulnerability that allowed them to gain full administrative access to “all user accounts and vehicles for all Reviver connected vehicles.”
What could they do with that access? Among other things, they found they had the power to track the GPS locations of every single registered user, manipulate data on users’ plates, and even report specific vehicles as stolen (Reviver has an in-app feature that allows cars to be reported as stolen to authorities).
“An actual attacker could remotely update, track, or delete anyone’s REVIVER plate,” Curry writes. “We could additionally access any dealer (e.g. Mercedes-Benz dealerships will often package REVIVER plates) and update the default image used by the dealer when the newly purchased vehicle still had DEALER tags.”
Gizmodo reached out to Reviver for comment but did not hear back. In a statement provided to Motherboard, the company admitted that it had patched software vulnerabilities that allowed for the intrusion to take place.
“We are proud of our team’s quick response, which patched our application in under 24 hours and took further measures to prevent this from occurring in the future. Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report,” the statement partially reads.
Let’s be honest: some things really don’t need to be digitized. As boring as it is, I think I’ll be sticking with non-hackable tags for the foreseeable future.