As California digital license plates gained traction for their car-tracking features, concerns quickly arose about digital license plate safety. Now, a team of security researchers has made news by hacking into the company that makes these digital tags. In doing so, they’ve opened up a new swell of concerns about this tech.
Location data exposed by California digital license plates
In a blog post uncovered by Vice, a team of hackers claim to have gained “Full super administrative access” to connected vehicle license plates. This access allows complete control over user accounts and information, including real-time GPS tracking. The team, led by web application security researcher Sam Curry, could also view all user records regarding vehicle ownership. This data includes home addresses, and contact information, all data that would be gold to would-be car thieves.
That said, Sam and others do this kind of thing all the time. They are not hacking cars with bad intentions. Instead, they use their skills to exploit problems in connected technologies to help safeguard data. In a blog post entitled, “Web Hackers vs the Auto Industry”, Sam and his team take aim at several automotive brands, including Reviver. In doing so, they prove that digital license plate safety needs some work.
Extreme exploitation potential
Exposing your data is scary enough, but that’s not the end of the vulnerability with California digital license plates. The hackers were also able to change what the plates displayed and even put the plate into Stolen status. This updates the display on the plate to read STOLEN and informs authorities of the car theft. It will also track the vehicle via GPS. In theory, a hacker could report the car you own as stolen while you’re driving it, and send the cops after you as you wait for your Starbucks latte. Not a fun way to start your day.
How hackers accessed the California digital license plate database
The exploitation used by Sam Curry and his team involved changing their account roles. Switching from the standard Consumer or Corporate user roles to a Reviver role offered administrative access to information. This gave the team unfettered access to both user and company data, including dealerships that offer Reviver digital plates. Certainly, the potential for this capability to fall into the wrong hands is scary. To that end, Reviver has already responded to shore up this potential loophole and reassure customers and clients that their data is safe.
For their part, Reviver told Motherboard that they had remedied the security risk for California digital license plates quickly. In the statement, they say “We are proud of our team’s quick response, which patched our application in under 24 hours and took further measures to prevent this from occurring in the future. Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report.”
They also indicated the addition of further safeguards to protect consumer information. Reviver states, “we also used this opportunity to identify and implement additional safeguards to supplement our existing, significant protections’. Furthermore, Reviver notes “this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report.”