Cybersecurity researchers managed to hack into California’s new digital license plates, which are sold and managed by tech company Reviver. The digital plates, called Rplates, went on sale in California late last year, but it was only a matter of time before hackers found a backdoor into Reviver’s systems.
Luckily, the white hats got there first by gaining full “super administrative access” via the Reviver website, according to Vice. This allowed the team of researchers to track the location of all cars using the plates, access all user records and even change some of the text shown on the digital plate displays.
Editor’s Note: This article was originally published on Monday, January 9th at 06:30pm EST. It has been updated with a statement from Reviver following the discovery of the bug, which the company says has been patched.
Bug bounty hunter Sam Curry explained how the team started probing Reviver’s mobile app first, then the website. The team became interested in Reviver due to the company’s ability to track the digital plates — and any car wearing one.
Since our administrator account theoretically had elevated permissions, our first test was simply querying a user account and seeing if we could access someone else’s data: this worked!
We could take any of the normal API calls (viewing vehicle location, updating vehicle plates, adding new users to accounts) and perform the action using our super administrator account with full authorization.
At this point, we reported the vulnerability and observed that it was patched in under 24 hours. An actual attacker could remotely update, track, or delete anyone’s REVIVER plate. We could additionally access any dealer (e.g. Mercedes-Benz dealerships will often package REVIVER plates) and update the default image used by the dealer when the newly purchased vehicle still had DEALER tags.
The bug also allowed the researchers to update the status of any digital CA plate to “STOLEN,” which could alert police and possibly send them after a car falsely labeled as the object of theft. Researchers said they could also change the slogan or text at the bottom of the plate — which users can change at will — but the team didn’t say that they could change the actual license plate number.
Even so, the bug found on the Reviver site could’ve given someone an alarming amount of information and control over the digital plates. As Curry notes, Reviver patched the bug within 24 hours after it was reported; the company shared a statement with Jalopnik saying a subsequent investigation found that the “potential vulnerability” had not been misused, nor had any user data been leaked. From Reviver:
We were recently contacted by a cybersecurity researcher regarding potential application vulnerabilities in the auto industry. Our team immediately investigated this report, met with the researcher, and, out of an abundance of caution, engaged leading data security and privacy professionals to assist.
We are proud of our team’s quick response, which patched our application in under 24 hours and took further measures to prevent this from occurring in the future. Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report. As part of our commitment to data security and privacy, we also used this opportunity to identify and implement additional safeguards to supplement our existing, significant protections.
Cybersecurity is central to our mission to modernize the driving experience and we will continue to work with industry-leading professionals, tools, and systems to build and monitor our secure platforms for connected vehicles.