Security researchers were able to gain “super administrative access” to Reviver, the sole provider of California’s digital license plates, and track the GPS location of all of vehicles they are associated with.
A team of security researchers successfully obtained “full super administrative access,” which allowed them to perform a slew of tasks involving the company’s user accounts and vehicles, according to a blog post by researcher Sam Curry.
After gaining access, a hacker could track the physical GPS location of all license plates of Reviver customers, as well as change the slogan or personalized message at the bottom of the plates to arbitrary text.
The personalized messages on the license plates involves a feature that allows customers to digitally update the bottom section of their plates to display different messages, such as, “Go Team!” or “looking for a trail.”
Additionally, a hacker could update any vehicle status to “STOLEN,” which would alert authorities.
“An actual attacker could remotely update, track, or delete anyone’s REVIVER plate,” Curry wrote in his blog post, revealing that he and his team had found security vulnerabilities across the automotive industry, not just with Reviver.
A hacker could also access all user records, including what vehicles people owned, their physical address, phone number, and email address, as well as access the fleet management functionality for any company, locate, and manage all vehicles in a fleet, Curry noted.
“We could take any of the normal API calls (viewing vehicle location, updating vehicle plates, adding new users to accounts) and perform the action using our super administrator account with full authorization,” Curry explained.
“We could additionally access any dealer (e.g. Mercedes-Benz dealerships will often package REVIVER plates) and update the default image used by the dealer when the newly purchased vehicle still had DEALER tags,” he added.
Reviver responded to the revelations, telling Vice’s Motherboard that it has since patched the issues discovered by the researchers.
“We are proud of our team’s quick response, which patched our application in under 24 hours and took further measures to prevent this from occurring in the future. Our investigation confirmed that this potential vulnerability has not been misused.”
“Customer information has not been affected, and there is no evidence of ongoing risk related to this report,” the company continued. “As part of our commitment to data security and privacy, we also used this opportunity to identify and implement additional safeguards to supplement our existing, significant protections.”
“Cybersecurity is central to our mission to modernize the driving experience and we will continue to work with industry-leading professionals, tools, and systems to build and monitor our secure platforms for connected vehicles,” Reviver added.