California began allowing digital license plates in October of last year, and researchers have already found a way to hack them. A single company provides all digital plates for the state, and bad actors that gain access to its systems could wreak major havoc on California drivers.
Security researcher Sam Curry released the report earlier this month, which also found several vulnerabilities in popular car makes like Hyundai, Kia, Honda, Mercedes-Benz, and Nissan. After gaining access to Reviver, the company that makes the license plates, they had “full super administrative access,” which means they could track the physical locations of the plates, change the customizable text at the bottom, access all account records, and report vehicles stolen.
It’s easy to see how this could go sideways. Access to vehicle locations is bad enough, but having users’ full addresses, phone numbers, and email addresses creates a perfect opportunity for identity theft. It could also create a significant safety issue for people who must keep their home locations private, such as domestic violence survivors, celebrities, and public officials.
Curry’s blog post explains that they gained access to Reviver through the company’s app, which classifies users into categories such as “consumer” or “corporate.” They said changing their user category to one called “Reviver” granted them the all-seeing access they reported back to the company.
In a statement, Reviver said it had patched the vulnerabilities discovered by the team, but this situation raises several other questions. Having only one company producing the digital plates isn’t all that unusual, especially since the program is so new. That such a simple vulnerability wasn’t discovered earlier is a bit alarming. It should also raise questions about user privacy and how the company holds all the data. Access to the plates is one thing, but a hacker could go straight to the database in the future.