Security researchers Reviver Digital License Plate Hack Hack

A few months after they officially went live, a security researcher and his friends managed to hack California’s new digital license plates.

Yes, for the past several years Kali has been in A Strange mission To digitize the car tags. Advocates say this modernization effort will offer many benefits to drivers, including “view personalization” and easier in-app registration renewals, but safety experts have long balked. warned If you hook your plates to the web, it’s inevitable that someone will try to damage them.

Now, just a few months after the California Legislature passed the law. Legalization of digital platesand that’s what happened.

as if Blog post In a post last week, bug hunter Sam Curry claimed that he and his friends had recently gained “full super-administrative access” to all connected user accounts. Stimulate.A digital contractor responsible for selling California smart plates.

Reviver sells something called the RPlate, or “smart plate.” Basically, it’s a battery-powered digital display that attaches to the back of a vehicle and then processes the car’s information. The plate allows users to share various graphics and words on the plate, and comes with an app that includes car tracking and safety features. The rate for one of these, located in Arizona and Michigan, is $20 a month, according to the Reviver website.

Unfortunately, Reviver’s pricy, hi-tech solution comes with some hi-tech problems. Curry and his colleagues investigated Reviver’s app and website, finding vulnerabilities that allowed them to gain full administrative access to “all user accounts and vehicles for all Reviver-connected vehicles.”

What can you do with that access? Among other things, they discovered that they had the power to track the GPS location of each registered user, monitor data on users’ license plates, and report stolen vehicles (Reviver has an in-app feature that lets you report cars stolen to authorities).

“A real attacker can remotely update, track, or delete anyone’s REVIVER plate,” Curry wrote. “Also, we can contact any dealer (for example, Mercedes-Benz dealers often put REVIVER plates) and update the default image used by the dealer when the newly purchased vehicle still has DEALER tags.”

Gizmodo reached out to Reviver for comment, but has not heard back. In a statement the company gave to Motherboard He admitted There are software vulnerabilities that allow the attack to be carried out.

“We are proud of our team’s quick response, patching the application in less than 24 hours and taking additional steps to prevent this from happening in the future. Our research has confirmed that this vulnerability was not exploited. Customer data was not affected, and there is no evidence of an ongoing risk related to this report.” The statement reads in part.

Let’s face it: some things just don’t need to be digitized. As boring as it is, I think I’ll stick with unhackable accounts for the foreseeable future.