As vehicle tracking features gain traction, concerns quickly arise about the safety of the digital license plate. Now, a team of security researchers has hacked the company that makes these digital tags. By doing so, they have opened up a new wave of concerns about this technology.
, a team of hackers claims to have gained “full super administrative access” to . This access allows full control over user accounts and information, including real-time GPS tracking. The team, led by web application security researcher Sam Carey, can view all user records related to vehicle ownership. This data includes home addresses, contact information, and all data that might be gold for potential car thieves.
Having said that, Sam and others do this kind of thing all the time. They have no bad intentions. Instead, they use their skills to exploit issues in connected technologies to help protect data. In a blog titled “Web Hackers vs the Auto Industry,” Sam and his team take aim at several auto brands, including Reviver. In doing so, they prove that digital license plate integrity needs some work.
High exploitation potential
Having your data exposed is scary enough, but that’s not the end of the vulnerability in California’s digital car registration plates. The hackers have also been able to change what the panels display and even put the panel in a state of being stolen. This updates the on-board display to a stolen reading and reports the car stolen to the authorities. It will also track the vehicle via GPS. In theory, a hacker could report the car you own as stolen while you’re driving it, and send cops after you while you’re waiting for your Starbucks coffee. Not a fun way to start your day.
How hackers accessed California’s digital license plate database
The exploit used by Sam Curry and his team involved changing the roles of their accounts. Switching from the standard consumer or corporate user roles to the Reviver role allowed administrative access to the information. This gave the team unfettered access to user and company data, including the agents who provide Reviver digital plates. The prospect of this ability falling into the wrong hands is certainly frightening. To that end, Reviver has already responded to back up this potential vulnerability and reassure clients and customers that their data is secure.
Reviver response
For their part, they told Motherboard that they quickly addressed the security risks of digital car registration plates in California. In the statement, they said: “We are proud of the quick response of our team, which patched our app in less than 24 hours and took further measures to prevent this from happening in the future. Our investigation confirmed that this potential vulnerability was not being misused. Customer information was not affected, and there is no evidence There are continuing risks related to this report.”
They also indicated the addition of more safeguards to protect consumer information. “We also used this opportunity to identify and implement additional safeguards to complement our existing critical safeguards,” Reviver says. Furthermore, Reviver notes, “This potential vulnerability has not been abused. Customer information has not been affected, and there is no evidence of ongoing risks related to this report.”
