Now I want one.
Digital license plates sold by Reviver, already legal to buy in some states and drive with nationwide, can be hacked by their owners to evade traffic regulations or even law enforcement surveillance.
Read the full article at Wired
Summary of Digital License Plate Vulnerabilities
Digital license plates, marketed by Reviver, are becoming increasingly popular in several states, offering features like customizable displays and GPS tracking. However, security researcher Josep Rodriguez has revealed a serious vulnerability: these plates can be “jailbroken,” allowing users to change their license plate numbers at will, evade tolls, and even redirect traffic violations to innocent drivers. This revelation raises significant concerns about the security and regulation of digital vehicle identification systems.
Key Points
Vulnerability Discovery: Josep Rodriguez demonstrated how to jailbreak Reviver’s digital license plates by removing a sticker and attaching a cable to the internal connectors, allowing him to rewrite the firmware in minutes.
Potential Misuse: A jailbroken plate can display any characters or images, enabling users to evade law enforcement surveillance, traffic tickets, and toll fees. It could also allow malicious users to change their plate number to that of another vehicle, resulting in false ticketing.
Hardware-Level Flaw: The vulnerability exists at a hardware level, meaning Reviver cannot simply issue a software update to fix it. Addressing the issue would require replacing the chips in all affected plates.
Reviver’s Response: Reviver stated that jailbreaking would be a criminal act and emphasized that the technique requires physical access to the vehicle. The company is reportedly redesigning its plates to avoid using vulnerable chips in the future.
Broader Implications: The findings suggest that as digital license plates become more widespread, policymakers and law enforcement must recognize the potential for misuse and the limitations of current identification systems based solely on license plate numbers.
Detailed Breakdown
Jailbreaking Technique
Rodriguez’s method involves a fault-injection technique that allows him to disable security features of the plates and install custom firmware. Once jailbroken, users can change the display via a smartphone app, raising the risk of evading traffic enforcement.
Risks of Misuse
The ability to manipulate license plate numbers poses a significant risk not only for traffic violations but also for potential criminal activities. Rodriguez highlighted that a hacker could change a plate number to that of another vehicle, effectively shifting the burden of fines and tickets to an unsuspecting driver.
Reviver’s Position
Reviver acknowledged the vulnerability only after being contacted by WIRED, despite efforts by IOActive to inform the company over the past year. They argue that the likelihood of such jailbreaking occurring in real-world conditions is low, as it requires specialized tools and knowledge. However, Rodriguez disputes this, claiming that anyone with basic technical skills could replicate his method.
Previous Vulnerabilities
This isn’t the first security concern for Reviver; in 2022, another researcher found vulnerabilities in the company’s web infrastructure. While Reviver quickly patched those issues, the hardware vulnerabilities present a more complex challenge.
Notable Quotes & Data
- “If you can change the license plate number whenever you want, you can cause some real problems,” said Rodriguez, underscoring the potential for abuse.
- Reviver stated that jailbreaking “would be a criminal act subject to prosecution by law enforcement,” emphasizing the legal ramifications of such actions.
Context & Implications
As digital license plates continue to gain traction, particularly in states like California and Arizona, the implications of these vulnerabilities become more pressing. Experts warn that systems relying solely on license plate numbers for identification may be easily compromised, leading to increased scrutiny and potential regulatory changes in the future. “You should assume people will mess with them,” Curry cautioned, highlighting the need for robust security measures in emerging vehicle identification technologies.
In conclusion, the revelations about the vulnerabilities in digital license plates serve as a crucial reminder for stakeholders to prioritize security in the rollout of innovative automotive technologies.