Digital License Plates: Stupid, Pointless, Insecure

Reviver’s Rplate digital license plates are inherently insecure: Their design seems to be riddled with privacy holes, given the apparent lack of API security, which is easily defeated.

Then there’s the daft nature of the product itself. A fool and their money are soon parted, as the old saying goes—parted from $400 in the first year, to be precise.

It’s another silly silicon valley digitalization disaster. In today’s SB Blogwatch, we pity the fool.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Prospero.

The ‘S’ in IoT is for Security

What’s the craic? Joseph Cox reports—“Researchers Could Track the GPS Location of All of California’s New Digital License Plates”:

“We are proud”
A team of security researchers managed to gain “super administrative access” into Reviver, the company behind California’s new digital license plates. [They could] change a section of text at the bottom of the license plate designed for personalized messages to whatever they wished.

California launched the option to buy digital license plates in October. Reviver is the sole provider of these plates [at] between $20 and $25 a month. … Users can digitally update the lower section of their license plate to display different messages [including] “stolen.”

Reviver [said] it patched the issues identified by the researchers: “We are proud of our team’s quick response. … This potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk.”

No evidence? But hackers could easily tweak the plate text! José Rodríguez Jr. reminds us of the other angle—“Gaining Access to GPS Location and User Info”:

Alarming amount of information
The digital plates, called Rplates, went on sale in California late last year, but it was only a matter of time before hackers found a backdoor. … This allowed the team of researchers to track the location of all cars using the plates, access all user records and even change some of the text.

A vulnerability in the Javascript of the website let the team change an account type from a regular user to an administrator. … On top of that, the bug gave researchers access to the same permissions and info of dealer fleets using digital plates. [It] could’ve given someone an alarming amount of information and control over the digital plates.

But why do we need digital license plates anyway? Lucas Ropek explains why (and why not)—“Digitize anything and someone will hack it”:

Some things really don’t need to be digitized
For the past several years, Cali has been on a weird mission to digitize its car tags. Advocates claims that this modernization effort will offer a host of benefits to drivers, including “visual personalization” and easy in-app registration renewal, but security experts have long warned that if you hook your plates up to the web, somebody will inevitably try to mess with them.

That’s exactly what has happened. … Reviver’s pricy, hi-tech solution also comes with some hi-tech problems. … Among other things, they found they had the power to track the GPS locations of every single registered user.

Let’s be honest: Some things really don’t need to be digitized. As boring as it is, I think I’ll be sticking with non-hackable tags for the foreseeable future.

Horse’s mouth? Sam Curry—“Critical Vulnerabilities”:

Privilege escalation vulnerabilities
Mass assignment … allows an attacker to remotely track and overwrite the virtual license plates for all Reviver customers, track and administrate reviver fleets, and access, modify, and delete all user information. … All API functionality was done on the “pr-api.rplate.com” website. After creating a user account, our user account was assigned to a unique “company” JSON object, which … was super interesting as we could update many of the JSON fields within the object.

We were able to change our role … opening the door to potential privilege escalation vulnerabilities. … We could take any of the normal API calls (viewing vehicle location, updating vehicle plates, adding new users to accounts) and perform the action using our super administrator account with full authorization. … At this point, we reported the vulnerability and observed that it was patched.

Who could possibly have seen this coming? csilverman sounds slightly sarcastic:

No way! I never imagined this could happen. I distinctly remember reading about this when they first came out years ago and thinking, “Goodness, I can’t think of a single problem with computerizing the primary means of visually identifying a specific vehicle.”

Something else that’ll never happen: Criminals hacking these things to immediately change the number right after committing a crime. It’s surely not possible.

I know, right? thomn8r has questions:

Why does a license plate need GPS?
Why has this been farmed out to a private company?
What do they actually do with the data?

And with more questions, here’s Scott Satellite:

Interesting, yet so many questions. … Mostly why would anyone want license plates that required a phone app or $99 installation. Also, I’m 100% sure we can’t trust the public to select their own message on the plate.

The “stolen” alert would be a good idea but couldn’t the Wile E. Coyote that stole your car just throw the digital plate away and attach a normal plate stolen from another car, the good old-fashioned way?

Has anyone seen them in the wild yet? Veronykah has:

These are super difficult to read at night from any distance as well. Was behind one the other night on the streets of Hollywood and couldn’t see it well enough to be able to give the plate number.

However, jqpabc123 tHiNkS iT’s A gReAt IdEa:

Wow! Only $25 a month to display a little message at the bottom—and for the “privilege” of having your privacy invaded by GPS tracking. It is impossible to overestimate the stupidity of the American consumer.

It’s just like I said yesterday: Products rushed to market without a thought for the security or privacy of their soon-to-be owners. And here’s an agreeable sapgau:

Security will be in 2.0. … No access lists, session enforcement or just plain checking a cookie token? Security was not even part of the design!

And Finally:

Yesterday wasn’t the first British satellite launch

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Reviver

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 615 posts and counting.See all posts by richi

Secure Coding Practices