Justin SullivanGetty Images
- A team of web developers found numerous security issues in California’s digital license plate carrier, Reviver.
- With access through the plate’s SIM card, hackers were able to see the real-time location and registration address, delete or alter the tag, and even mislabeled the vehicle as stolen.
- Reviver has patched the issues since, but privacy advocates say the digital plate program poses security and data challenges that outweigh the supposed convenience.
Do license plates really need to be hard metal? It’s 2023, after all, and at least three states in the US have answered that very question by legalizing digital license plates. California is the latest adopter of the technology, following Arizona, Michigan, and Texas in launching its own digital license plate program in October 2022. But residents should think twice before opting into the new technology.
That’s because a team of web security researchers led by Sam Curry found weaknesses in the software built into the Reviver-supplied California license plates, the company leading the push for digital plates. Thanks to the SIM card found in the plates, these web security experts were able to easily hack into the administrative back end of Reviver.
The team explained their hacking process in a thoroughly technical blog post and, while the developer jargon doesn’t mean much to the average car owner, it’s clear just how vulnerable these digital plates are.
Once the team established full administrative access, they could see the details of every user’s account, including vehicle type and physical address. Every vehicle with a Reviver plate could also be tracked by GPS in real-time, and the hackers could change or add any slogan to the plate. Additionally, the security function of the plates that label the car as stolen could be abused, allowing hackers to mislabel the vehicle as stolen at a moment’s notice.
Fleet management functions were also easy targets, with the hackers able to locate and manage all vehicles across a number of companies’ fleets. This could become problematic for vehicles bearing dealer tags, as the hackers could easily wipe those identifications away. One of the most glaring issues found in the investigation was that consumer and commercial tags could be simply deleted by bad actors.
Since the blog post went live on Jan. 3, Reviver has subsequently patched the issues, releasing this statement to Motherboard: “We are proud of our team’s quick response, which patched our application in under 24 hours and took further measures to prevent this from occurring in the future. Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report.”
Privacy advocates, such as the Electronic Frontier Foundation, expressed concerns about the security lapse, in addition to the unclear destination and duration of the data accumulated by Reviver. Based in Granite Bay, California, Reviver said it doesn’t share data with law enforcement, the DMV, or any third-party organization, and previously claimed that it uses the same security standards that banks use.
Reviver was founded in 2009, put their first prototypes on the road in 2015, and in 2017 had their first 1000 digital plates in operation. In California, Reviver’s pilot program started with 175,000 digital plates on the road.
Because the team of web security researchers do these hacking probes in good faith, Reviver has learned a valuable lesson in cybersecurity and, at least for now, no harm has been done to its customer base. But the breach exposes the unique weaknesses of the digital plate, like making the plate display something offensive.
Time will tell if consumers adopt the digital plate more widely, as the states that have adopted it say it gives car owners more of a choice and makes registration easier. But the possibility for increased headaches could sway owners to stick with the classic stamped aluminum.
Would you consider using a digital license plate? Why or why not? Please share your comments below.