In October, the state of California approved the use of digital license plates. Permanently connected to the internet, they act as small screens displaying license plate info above a personalizable message. And, permanently connected to the internet, they’re hackable.
A group of cyber security researchers claims it was able to hack into the system that controls the plates. That let them track the GPS locations of cars, change what the plates displayed, and see customer information.
The Purported Benefits of Digital Plates
The company behind the plates, Reviver, sells them by subscription. Reviver charges $19.95 per month for a battery-powered version and $24,95 a month for one hard-wired into your car. The company claims the plates “enable a better experience for everyone, including drivers, DMVs, highway patrol, auto dealerships, and commercial fleet businesses.”
California claims the plates save taxpayers money because users can renew them electronically. That saves on mail costs and administrative costs at DMV locations. As a 2019 report on a pilot test of the plates explains, “the cost is borne by the consumers, with minor fiscal impact to the state.”
Owners gets to renew their registration without leaving home and display a separate message on a small panel above the license plate number. That message, Reviver notes, can display “stolen” if the car is stolen.
The company also advertises that owners can “receive instant alerts if your vehicle moves.”
That’s where the hackers come in.
White Hats and Black Hats
If you don’t regularly track the cyber security community, a quick primer on its lingo might be useful.
“White hat” hackers are security researchers who hunt for vulnerabilities in software and products so that they can warn the companies that build them to fix them before something bad happens. “Black hat” hackers hunt for vulnerabilities so that they can exploit them.
White hat hacker Sam Curry and his team from Yuga Labs are rapidly becoming critical to the automotive industry’s cyber security efforts. Last month, Curry exposed a flaw that let his team remotely unlock and start cars from at least a dozen manufacturers. They were also able to obtain identification data on some car owners.
The companies involved say they quickly closed the security loopholes Curry found.
Now, he says he’s hacked into Reviver’s systems. In a blog post, Curry writes that his team achieved “full super administrative access to manage all user accounts and vehicles for all Reviver connected vehicles.”
Hackers Could Track Locations, See User Data
That let them track the GPS location of every digital license plate owner. They found they could also change the personalized display panel on each plate to say whatever they wanted it to say, and mark any car as stolen.
Researchers also found customer data, “including what vehicles people owned, their physical address, phone number, and email address.”
They told Reviver how they did it, and the company says it quickly closed the vulnerabilities.
“We are proud of our team’s quick response, which patched our application in under 24 hours and took further measures to prevent this from occurring in the future,” Reviver says. “Our investigation confirmed that this potential vulnerability has not been misused.”
Digital Plates Might Be a Solution to No Problem at All
The incident, however, points to a growing truth about modern cars. Increasingly, most cars are connected to the internet most of the time.
That will change most of what you know about car ownership. It will allow automakers to charge monthly fees for car features, potentially bringing an end to the idea of ownership or fully paying off a car. It also makes cars increasingly trackable – and may be a reason for some of us to conclude that adding another connected device to our cars is not worth the risks.
Particularly when it solves a problem also solved by a simple piece of metal.
