Cybersecurity researchers managed to hack into California’s new digital license plates, which are sold and managed by tech company Reviver. The digital plates, called Rplates, went on sale in California late last year, but it was only a matter of time before hackers found a backdoor into Reviver’s systems.
Luckily, the white hats got there first by gaining full “super administrative access” via the Reviver website, according to Vice. This allowed the team of researchers to track the location of all cars using the plates, access all user records and even change some of the text shown on the digital plate displays.
Bug bounty hunter Sam Curry explained how the team started probing Reviver’s mobile app first, then the website. The team became interested in Reviver due to the company’s ability to track the digital plates — and any car wearing one.
Since our administrator account theoretically had elevated permissions, our first test was simply querying a user account and seeing if we could access someone else’s data: this worked!
We could take any of the normal API calls (viewing vehicle location, updating vehicle plates, adding new users to accounts) and perform the action using our super administrator account with full authorization.
At this point, we reported the vulnerability and observed that it was patched in under 24 hours. An actual attacker could remotely update, track, or delete anyone’s REVIVER plate. We could additionally access any dealer (e.g. Mercedes-Benz dealerships will often package REVIVER plates) and update the default image used by the dealer when the newly purchased vehicle still had DEALER tags.
The bug also allowed the researchers to update the status of any digital CA plate to “STOLEN,” which could alert police and possibly send them after a car falsely labeled as the object of theft. Researchers said they could also change the slogan or text at the bottom of the plate — which users can change at will — but the team didn’t say that they could change the actual license plate number.
Even so, the bug found on the Reviver site could’ve given someone an alarming amount of information and control over the digital plates. As Curry notes, Reviver patched the bug within 24 hours after it was reported; the company says that a subsequent investigation found the “potential vulnerability” had not been misused, nor had any user data been leaked.