A team of security researchers managed to gain “super administrative access” into Reviver, the company behind California’s new digital license plates which launched last year. That access allowed them to track the physical GPS location of all Reviver customers and change a section of text at the bottom of the license plate designed for personalized messages to whatever they wished, according to a blog post from the researchers.
“An actual attacker could remotely update, track, or delete anyone’s REVIVER plate,” Sam Curry, a bug bounty hunter, wrote in the blog post. Curry wrote that he and a group of friends started finding vulnerabilities across the automotive industry. That included Reviver.
California launched the option to buy digital license plates in October. Reviver is the sole provider of these plates, and says that the plates are legal to drive nationwide, and “legal to purchase in a growing number of states.”
Customers can pay between $20 and $25 a month for a battery or wired-powered version of the plate, according to Reviver’s website. The plates have around a 5-year or 50,000 miles worth of battery life, according to a Reviver promotional video.
Users can digitally update the lower section of their license plate to display different messages. In the promotional video, one message reads “looking for a trail.” Another reads “Go Team!” An accompanying app can also update a user if their car moves when it is supposed to be parked, indicating it may have been stolen. The license plate will then display the text “stolen.” Reviver promises a “continuous rollout of new features,” including automatic toll payment, parking payment, roadside assistance, and vehicle diagnostics.
The video also says Reviver has “strong privacy & data security” and offers “true peace of mind.” In the blog post, Curry writes the researchers were interested in Reviver because the license plate’s features meant it could be used to track vehicles. After digging around the app and then a Reviver website, the researchers found Reviver assigned different roles to user accounts.
Those included “CONSUMER” and “CORPORATE.” Eventually, the researchers identified a role called “REVIVER,” managed to change their account to it, which in turn granted them access to all sorts of data and capabilities, which included tracking the location of vehicles. “We could take any of the normal API calls (viewing vehicle location, updating vehicle plates, adding new users to accounts) and perform the action using our super administrator account with full authorization,” Curry writes. (SOURCE)