Last October, California became the third state in the United States, after Arizona and Michigan, to allow the use of digital license plates in the vehicles that travel its roads. The company Revive has been solely authorized by California to provide this device and associated services, but your system has been hacked without even three months having elapsed since its entry into operation and after four years of testing.
The group of security researchers that discovered the vulnerability in the Reviver service took an interest in the company because it manages the location data of service subscribers. Yes, subscribers at the rate of a quota of 20 or 25 dollars per month depending on the type of digital registration. With a battery in the first case or connected to the car in the second, which requires an extra $150 for installation that can be avoided in the first, according to ExtremeTech.
Digital license plates consist of a LCD screen rugarizada (i.e. built to be stronger than a standard one) that shows customizable content. The user can enter a phrase that appears under the license plate number and that can be changed at any time.
In the event that your car is stolen, you can order from the app of the service that the license plate shows a fairly visible notice about the license plate number that identifies it as STOLEN (stolen), in addition to the fact that the system automatically notifies the police.
Both models have a card SIM and capacity LTE with which they remain connected to the company’s servers to be able to be tracked remotely and update license plates, as explained by Sam Curry, who is part of the research team that found the vulnerability, on his blog.
Curry’s team started with the app of the company’s service. Studying the traffic and connections of the API (Application Programming Interface) used by Reviver, they found that to each new user who registered in the app a JSON file was assigned to it (Java Script Object Notation, plain text format for exchanging data) in which the account was classified as CONSUMER (customer). This field could not be changed from the appbut from the Reviver website via Javascript.
So by modifying the JSON file they were able to change the account type to CORPORATE (corporate), which gave them permits to manage a fleet of vehicles. But do it to REVIVE_ROLE it opened up many more privileges for them.
This full access to the system as super admin allowed them to know the Location of vehicles with Reviver license plates, modify the text which also show the picture by default, show the status of STOLEN (stolen) in which they wanted, with the consequent automatic notification to the authorities, and access user recordsincluding the model of vehicle they use, their address, telephone number and email.
The researchers reported their discovery to the company which was able to patch it in just 24 hours after becoming aware of it. In a statement, Reviver has explained that the vulnerability It has not been exploited by third parties in this time and that user data has not been stolen.