A team of security researchers managed to gain “super administrative access” into Reviver, the company behind California’s new digital license plates which launched last year. That access allowed them to track the physical GPS location of all Reviver customers and change a section of text at the bottom of the license plate designed for personalized messages to whatever they wished, according to a blog post from the researchers.
“An actual attacker could remotely update, track, or delete anyone’s REVIVER plate,” Sam Curry, a bug bounty hunter, wrote in the blog post. Curry wrote that he and a group of friends started finding vulnerabilities across the automotive industry. That included Reviver.
Do you know any other cases of exposed location data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email firstname.lastname@example.org.
California launched the option to buy digital license plates in October. Reviver is the sole provider of these plates, and says that the plates are legal to drive nationwide, and “legal to purchase in a growing number of states.”
Customers can pay between $20 and $25 a month for a battery or wired powered version of the plate, according to Reviver’s website. The plates have around a 5 year or 50,000 miles worth of battery life, according to a Reviver promotional video.
Users can digitally update the lower section of their license plate to display different messages. In the promotional video, one message reads “looking for a trail.” Another reads “Go Team!” An accompanying app can also update a user if their car moves when it is supposed to be parked, indicating it may have been stolen. The license plate will then display the text “stolen.” Reviver promises "continuous rollout of new features," including automatic toll payment, parking payment, roadside assistance, and vehicle diagnostics.
The video also says Reviver has “strong privacy & data security” and offers "true peace of mind."
In the blog post, Curry writes the researchers were interested in Reviver because the license plate’s features meant it could be used to track vehicles. After digging around the app and then a Reviver website, the researchers found Reviver assigned different roles to user accounts. Those included “CONSUMER” and “CORPORATE.” Eventually, the researchers identified a role called “REVIVER,” managed to change their account to it, which in turn granted them access to all sorts of data and capabilities, which included tracking the location of vehicles.
“We could take any of the normal API calls (viewing vehicle location, updating vehicle plates, adding new users to accounts) and perform the action using our super administrator account with full authorization,” Curry writes. “We could additionally access any dealer (e.g. Mercedes-Benz dealerships will often package REVIVER plates) and update the default image used by the dealer when the newly purchased vehicle still had DEALER tags.”
Reviver told Motherboard in a statement that it patched the issues identified by the researchers.
“We are proud of our team’s quick response, which patched our application in under 24 hours and took further measures to prevent this from occurring in the future. Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report. As part of our commitment to data security and privacy, we also used this opportunity to identify and implement additional safeguards to supplement our existing, significant protections,” the statement read.
“Cybersecurity is central to our mission to modernize the driving experience and we will continue to work with industry-leading professionals, tools, and systems to build and monitor our secure platforms for connected vehicles,” it added.