Security researchers were able to gain “super administrative access” to Reviver, the sole provider of California’s digital license plates, and track the GPS location of all of vehicles they are associated with.
A team of security researchers successfully obtained “full super administrative access,” which allowed them to perform a slew of tasks involving the company’s user accounts and vehicles, according to a blog post by researcher Sam Curry.
After gaining access, a hacker could track the physical GPS location of all license plates of Reviver customers, as well as change the slogan or personalized message at the bottom of the plates to arbitrary text.
The personalized messages on the license plates involves a feature that allows customers to digitally update the bottom section of their plates to display different messages, such as, “Go Team!” or “looking for a trail.”
Additionally, a hacker could update any vehicle status to “STOLEN,” which would alert authorities.
“An actual attacker could remotely update, track, or delete anyone’s REVIVER plate,” Curry wrote in his blog post, revealing that he and his team had found security vulnerabilities across the automotive industry, not just with Reviver.