This is not just science fiction because white hackers have already demonstrated it is possible. A team of security researchers (also known as “white hackers”) have managed to gain super administrative rights into Reviver’s information system. Such access grants the right to make system-wide changes and access all the functionalities of the digital plates installed on the vehicles throughout California and other states where Reviver has sold its services.
The hackers have been able to track the physical GPS location of all Reviver customers and change a selection of text at the bottom of the license plate. This section is reserved for personalized messages, which the user can program through the dedicated app. The vulnerability also allowed hackers to update any vehicle status to “STOLEN,” which updates the license plate with the appropriate text warning and alerts authorities. It could potentially endanger the life of the driver and the passengers, depending on how the police react to the information.
The hackers went even further and used the same privileged administrative rights to access user records, including what vehicles people owned, their physical addresses, phone numbers, and email addresses. More so, they gained access to the fleet management functionality for any company and located and managed all vehicles in the fleet. All these actions could have dire implications for people using Reviver services and digital license plates.
The hack was described in detail by the security research team in a blog post. It’s a rather long one and is not only related to Reviver but many other car companies. Reviver attracted the hackers’ attention thanks to the digital license plates that could be used to track vehicles. Nevertheless, the researchers were able to get deeper than expected in the Reviver’s IT system. According to Motherboard, the company has patched the issues identified by the researchers.
“We are proud of our team’s quick response, which patched our application in under 24 hours and took further measures to prevent this from occurring in the future,” Reviver told Motherboard. “Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report.”
California launched the option to buy digital license plates in October, with Reviver as the sole provider. According to their statement, the plates are legal to drive nationwide and legal to purchase “in a growing number of states.” Customers pay a $20 monthly fee for a battery-powered plate or $25 for a wired plate.