In October, California joined Arizona and Michigan in offering the option to get digital license plates. These are e-ink plates so they don’t need a lot of power though they do need some minimal connectivity. Texas also has digital plates for commercial vehicles. Digital license plates are easier to update, and can show emergency messages like amber alerts, or a message that the vehicle has been stolen. In fact Reviver, the company that makes and manages the plate for the state of California, can use tracking abilities to help find stolen cars.
Obviously when this was first announced everybody in the DTNS audience started wondering how it could be hacked. Web Application Security Researcher Sam Curry and friends had similar thoughts, about many automotive companies. Last week Curry posted about multiple automotive vulnerabilities they found, including one related to Reviver.
Curry and his group modified a javascript role on Reviver's website and were able to gain super admin access. That would have let them track location of all cars with the digital plates, change the slogan at the bottom of the plate (something the owner of the car can also do), and change vehicle status to stolen. It also would let them do the things you usually can do when accessing an admin system like see address, phone number, email and a few industry-specific things like vehicle type and some fleet management functions for companies that use digital plates. Curry's group reported the vulnerability to Reviver, which patched it within 24 hours.
This is good news. It means the white hats found a problem and fixed it. One less way in for the bad folks. So if you, like me, understand that no system is ever 100% secure, you probably see this is as getting closer to 100%, which is a good thing.
The other question you might have is whether this shows that digital license plates are a bad idea. Certainly metal plates can’t be tracked in real time as easily (though they can be tracked) and can’t be manipulated without physical access. One thing that stood out to me is that the numbers couldn’t be changed in this system. Only the customizable slogan. The best they could do was to put the stolen alert on.
I think I’m comfortable seeing digital license plates like digital money. There are some advantages and a new set of problems. But like most technology, it’s not wholly better or worse. I’m not sure in this case yet whether it’s a net positive or not. My metal plate has never lost connectivity. But then when the eink ones lose connectivity they just stay the same, and can’t be tracked. So maybe that’s OK.