California's Digital License Plates Have Already Been Hacked Just As Security Experts Warned
In a collective "I told you so" moment, security experts were proven right as California's newly-minted digital license plates have been hacked by a group of security/vulnerability researchers. The team was able to track the plate by GPS or even change the vehicle status to "Stolen." Even as the state legalized the use of digital plates, security experts had warned that web-connected plates are just welcoming trouble from hackers or any cybercriminal with the right motivation.
Bug hunter Sam Curry noted in a blog post that his team were able to obtain "full super administrative access to manage all user accounts and vehicles for all Reviver connected vehicles" through a vulnerability on the Reviver website and app. Currently, Reviver is a legal seller of digital license plates in California, Arizona, Michigan, and Texas–for $20 a month, thank you very much. What Curry and his team was able to do with this full administrative access (which includes all consumer and corporate accounts) is quite disturbing.
They found that they could remotely track the GPS location and manage the plates of all Reviver users. This level of access included messing with the slogan at the bottom of the plates or deleting the plate altogether. Curry adds that a hacker can change the vehicle status to "Stolen," which automatically informs the authorities. Since this is administrative level access, all user records were visible, such as the physical address and contact information of users, and even what vehicles they owned. Hackers can also access fleet management functions, using it locate and manage all vehicles in any company fleet. On the slightly brighter side, Curry doesn't say that the license number itself can be altered.
Since Curry published and shared the vulnerability to Reviver, the company was able to patch the issue in under 24 hours.