Digital license plates have been around for several years, promising to save states money shipping metal plates while also dragging their respective departments of motor vehicles into the 21st century. Except Wired reports they can also be hacked to change the plate number at will, allowing drivers to avoid paying tickets and tolls. In fact, they can also allegedly stick other drivers with their fines, which doesn’t sound good. That could even be considered bad, actually.
IOActive security researcher Josep Rodriguez reportedly discovered a way to jailbreak the Reviver-brand license plates that are already on 65,000 vehicles. It does require physical access to the license plate, but once he installed new firmware, he was able to use an app on his phone to change the number displayed on the license plate. While that would allow owners to avoid tickets, there’s also nothing stopping them from using another vehicle’s license plate number to stick them with the bill. There’s also no way for Reviver to update the software to prevent jailbreaking:
Because the vulnerability that allowed him to rewrite the plates’ firmware exists at the hardware level—in Reviver’s chips themselves—Rodriguez says there’s no way for Reviver to patch the issue with a mere software update. Instead, it would have to replace those chips in each display. That means the company’s license plates are very likely to remain vulnerable despite Rodriguez’s warning—a fact, Rodriguez says, that transport policymakers and law enforcement should be aware of as digital license plates roll out across the country. “It’s a big problem because now you have thousands of licensed plates with this issue, and you would need to change the hardware to fix it,” he says.
When Wired contacted Reviver for a comment, it said that jailbreaking one of its digital license plates to change the plate number “would be a criminal act subject to prosecution by law enforcement.” It also said that “the jailbreak technique identified by IOActive requires physical access to the vehicle and plate, plate removal, specialized tools and expertise. They also said “this scenario is highly unlikely to occur in real-world conditions, limiting it to individual bad actors knowingly violating laws and product warranties.” Reviver also claimed it was reworking its plates to use different chips that aren’t vulnerable to the same hack that Rodriguez used.
Rodriguez, however, pushed back against Reviver’s claim that jailbreaking its digital plates required fancy tools and rare expertise. Sure, the initial hack required more computer knowledge than the typical person has access to, but once he was in, he was able to develop a tool that pretty much anyone could use to change their own license plate or hack someone else’s. “They just need to connect a cable and install the new firmware, just like if you were jailbreaking your iPhone,” Rodriguez told Wired.
That said, if you do have one of Reviver’s digital license plates, there is one feature that will make it more difficult for someone to remotely connect you to a crime:
In addition to the physical access and time necessary to pull off that hack, however, a license plate saboteur would also need to overcome a feature of Reviver’s plates that sends a notification to the owner when it’s detached from a vehicle. That would require jamming the plate’s radio communications while tampering with it, Rodriguez notes, an added wrinkle that makes the attack even less practical, though perhaps not impossible.
So that’s at least comforting. Sort of. On the other hand, if you start getting tickets for things you didn’t do, at least now you know why.
Update December 17, 2024 9:45 a.m.: Reviver reached out with a statement and also clarified that its license plates do not have GPS capabilities that would allow malicious actors to track a driver’s location:
Unfortunately, efforts to manipulate license plates are not new. Objectively, manipulating standard metal plates is far easier than tampering with Reviver’s digital plates, which are designed with multiple layers of protection. By contrast, standard metal plates can be easily swapped, cloned, tracked, simulated, or tampered with.
While skilled practitioners can theoretically jailbreak any electronic device, opting to do so to alter the functionality of a digital license plate would be a criminal act subject to prosecution by law enforcement. Additionally, any time a digital plate is removed, tampered with, or disabled, registered customers receive an immediate alert and the plate goes into detached mode, ceasing communication with Reviver’s system. These safeguards ensure that any tampering is instantly detected by both the plate owner and Reviver.
The jailbreak technique identified by IOActive requires physical access to the vehicle and plate, plate removal, specialized tools, and expertise. This scenario is highly unlikely to occur in real-world conditions, limiting it to individual bad actors knowingly violating laws and product warranties. Importantly, this technique only affects the specific device being tampered with and does not compromise Reviver’s platform or customer and DMV data. Personally identifiable information held by Reviver remains fully protected. Even the IOActive researcher, Mr. Rodriguez, acknowledges and commends Reviver for our security posture, noting that his attempts to compromise the plate in more significant ways were unsuccessful.
Reviver remains committed to delivering innovative, secure, and reliable solutions for our customers, advancing the overall safety of license plate technology. We are proud to regularly partner with cybersecurity firms, including IOActive and Mr. Rodriguez, and are currently actively working to further strengthen our products and systems.