zzdcar
Home
/
Reviews
/
Culture
/
Researchers Hacked California's Digital License Plates, Gaining Access to GPS Location and User Info (Update)
Researchers Hacked California's Digital License Plates, Gaining Access to GPS Location and User Info (Update)-July 2024
2024-02-19 EST 22:12:00

Image for article titled Researchers Hacked California's Digital License Plates, Gaining Access to GPS Location and User Info (Update)

managed to hack into California’s new , which are sold and managed by tech company . The digital plates, called , went on sale in California late last year, but it was only a matter of time before found a backdoor into Reviver’s systems.

Luckily, the white hats got there first by gaining full “super administrative access” via the website, according to . This allowed the team of researchers to track the location of all cars using the plates, access all user records and even change some of the text shown on the digital plate displays.

This article was originally published on Monday, January 9th at 06:30pm EST. It has been updated with a statement from Reviver following the discovery of the bug, which the company says has been patched.

Bug bounty hunter Sam Curry how the team started probing Reviver’s mobile app first, then the website. The team became interested in Reviver due to the company’s ability to track the digital plates — and any car wearing one.

Image for article titled Researchers Hacked California's Digital License Plates, Gaining Access to GPS Location and User Info (Update)

Curry says a vulnerability in the Javascript of the website let the team change an account type from a regular user to an administrator, giving them access to GPS location and all information of registered users: this info includes “vehicles people owned, their physical address, phone number, and email address.” On top of that, the bug gave access to the same permissions and info of dealer fleets using digital plates:

Since our administrator account theoretically had elevated permissions, our first test was simply querying a user account and seeing if we could access someone else’s data: this worked!

We could take any of the normal API calls (viewing vehicle location, updating vehicle plates, adding new users to accounts) and perform the action using our super administrator account with full authorization.

At this point, we reported the vulnerability and observed that it was patched in under 24 hours. An actual attacker could remotely update, track, or delete anyone’s REVIVER plate. We could additionally access any dealer (e.g. Mercedes-Benz dealerships will often package REVIVER plates) and update the default image used by the dealer when the newly purchased vehicle still had DEALER tags.

The bug also allowed the researchers to update the status of any digital CA plate to “STOLEN,” which could alert police and possibly send them after a car falsely labeled as the object of . Researchers said they could also change the slogan or text at the bottom of the plate — which users can change at will — but the team didn’t say that they could change the actual license plate number.

Even so, the bug found on the Reviver site could’ve given someone an alarming amount of information and control over the digital plates. As Curry notes, Reviver patched the bug within 24 hours after it was reported; the company shared a statement with Jalopnik saying a subsequent investigation found that the “potential vulnerability” had not been misused, nor had any user data been leaked. From Reviver:

We were recently contacted by a cybersecurity researcher regarding potential application vulnerabilities in the auto industry. Our team immediately investigated this report, met with the researcher, and, out of an abundance of caution, engaged leading data security and privacy professionals to assist.

We are proud of our team’s quick response, which patched our application in under 24 hours and took further measures to prevent this from occurring in the future. Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report. As part of our commitment to data security and privacy, we also used this opportunity to identify and implement additional safeguards to supplement our existing, significant protections.

Cybersecurity is central to our mission to modernize the driving experience and we will continue to work with industry-leading professionals, tools, and systems to build and monitor our secure platforms for connected vehicles.

Image for article titled Researchers Hacked California's Digital License Plates, Gaining Access to GPS Location and User Info (Update)

Comments
Welcome to zzdcar comments! Please keep conversations courteous and on-topic. To fosterproductive and respectful conversations, you may see comments from our Community Managers.
Sign up to post
Sort by
Show More Comments
Culture
Third-Generation Subaru Crosstrek Refines the Small Crossover Game
Third-Generation Subaru Crosstrek Refines the Small Crossover Game
Not to be outdone by the (), revealed to the world its third-generation . says it has refined the driving dynamics of the small crossover and emphasized the uniqueness of the car’s design. It’s also got a slew of new and updated tech and creature comforts inside. The vehicle...
Jul 10, 2026
Coding the Car Seeks to Understand Where Connected Cars Are Headed Next
Coding the Car Seeks to Understand Where Connected Cars Are Headed Next
Like it or not, , and as cars get smarter and more connected, the automotive industry is going to find more ways to use the data they collect on your driving habits to make cars safer — and also to make more money. I know that sounds kind of grim,...
Jul 10, 2026
Honda Dealers Really Wish They Had More Cars to Sell
Honda Dealers Really Wish They Had More Cars to Sell
Honda may have been hit harder by the ongoing supply chain crisis than its rivals if dealer stock is any indication, Mitsubishi is another automaker that’s lost out in the Inflation Reduction Act’s new EV credit system and two more brands are idling production lines in Europe. You’ll have...
Jul 10, 2026
Dacia's Manifesto Concept Is an Escape From Cyberpunk City Life
Dacia's Manifesto Concept Is an Escape From Cyberpunk City Life
In the past few years, there’s been a burgeoning trend in car design: cyberpunk. No, I don’t mean the (or infamy, depending on ), I mean the the that mixes advanced technology with ‘80s punk attitudes. From the to the , it seems every modern concept is built for...
Jul 10, 2026
Marked Cop Cars Targeted by Catalytic Converter Thieves In San Francisco
Marked Cop Cars Targeted by Catalytic Converter Thieves In San Francisco
Four clearly marked police cars in the San Francisco Police Department fleet were relieved of their catalytic converters this week by scrap metal thieves looking to make a quick buck. Even though this theft occurred in front of a police building in broad daylight, no one is optimistic that...
Jul 10, 2026
Tesla Is Getting Sued For False Advertising Over Autopilot And FSD
Tesla Is Getting Sued For False Advertising Over Autopilot And FSD
Autopilot and FSD buyers are suing Tesla, automakers are upset that dealers aren’t allowed to lie, and Tesla is moving battery production stateside. All that and more in for Thursday, September 15, 2022. There’s a tradition in the automotive world, one that’s sprung up over the past decade. Once...
Jul 10, 2026
Copyright 2023-2026 - www.zzdcar.com All Rights Reserved