Home Hacking Digital License Plate Hack Could Track, Falsely Report Stolen Cars

Digital License Plate Hack Could Track, Falsely Report Stolen Cars

by

Despite the expense, the idea of being able to deal with your license plate by accessing a mobile app or website seems like a great idea. Heck, even letting people know you own a Tesla is probably cool to somebody with an ego the size of the Burj Khalifa. That’s the idea behind Reviver’s digital license plate and it uses cell phone networks to not only work over the web to allow you to personalize your plate but also pay fees, track its location, and even have it display that the vehicle is stolen. Unfortunately, this is where the story starts to take a bit of a bad turn as there was a way for bad actors to gain access to all of that personal information, but could even wipe your information away. There is some good news, though.

And we’ll start with that. The issue was found by white hat hacker Sam Curry and reported to Reviver. In turn, Reviver was able to patch the security issue within 24 hours and this vulnerability appears to be fixed according to the blog post by Curry. The full step-by-step process that he and his team used to access the backend is on his blog and goes into detail on what they did, though not deep enough that anyone would really be able to replicate it without better knowledge of how websites, API, and JavaScript work. In fact, the blog post is more than just the Reviver vulnerability and goes into issues with OEM automakers and a vehicle tracking service, as well.

Unfortunately, anyone up to that point had access to all of the data a user inputted into the Reviver account and it wasn’t found until Curry decided to try and test Reviver’s data security. Within that time, anyone with the right knowledge and wrong intentions could have gotten customer data, their location at any time, and write messages on plates. They could have even falsely reported the vehicle was stolen on the license plate or wipe out all of a customer’s information, rendering the digital plate an expensive screen that displayed nothing.

While believers in the digital plate and connected car world will probably hold their hands up and say, “yeah, but it was fixed,” online privacy advocates like Electronic Frontiers Foundation (EFF) raised concerns about this very vulnerability back when these plates were first approved for use in California in 2019. Stephanie Lacambra, criminal defense attorney for the EFF at the time, told the San Francisco Chronicle (subscription required to view) that these plates would become a “honeypot of data,” saying , “Your locational history has the potential to reveal a lot more than… where you happen to be at a particular moment in time. It can reveal your associations, who you speak with, where you go to work, where you live.” Now, in 2023, this fear turned out to come true.

If you were someone who has these plates and are worried that your information has been compromised, so far it seems like that hasn’t been the case. Reviver told Vice’s Motherboard in its story that no information was accessed saying, “We are proud of our team’s quick response, which patched our application in under 24 hours and took further measures to prevent this from occurring in the future. Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report.”

Of course, we’ve heard this from companies like LastPass recently and that turned out to be more of hopes than reality. For now, we can only take Reviver’s word for it and equally hope that nobody’s information was stolen or anyone was stalked due to hacked tracking data from Reviver’s plates. Maybe just sticking to decals or the old fashioned metal plate is the more secure option, still.

Source link

Related Articles

Translate »