Researchers Hacked License Plates Powered by E-Ink

Last fall, California allowed the use of digital license plates that run on electronic ink (e-ink). Less than six months later, researchers have already discovered vulnerabilities in this system that allow each license plate to be tracked, reprogrammed or erased.

Sam Curry
Sam Curry
The well-known information security expert Sam Curry, who has long studied the vulnerabilities of modern cars, spoke about the problems of digital license plates. At the beginning of January 2023, the expert published a long article on his blog on the many problems that he and his friends found in the systems of Ferrari, BMW, Rolls Royce, Porsche and other manufacturers. Curry already spoke about some of these studies last year, and some turned out to be new.

Let me remind you that we also wrote that Hackers Who Sold Car Hacking Tools with Keyless Entry Arrested, and also that DoppelPaymer operators published in the public domain Tesla documents.

One of the studies by Curry and his friends was devoted to modern digital numbers, the only major manufacturer of which is the Reviver company so far. This manufacturer’s plates, known as Rplate, come in both corded and corded versions, the latter being reserved for commercial fleets only. Reviver claims a battery life of five years as the e-ink only consumes power when the image changes.

car numbers on e-ink

The Rplate numbers have caught the attention of experts as they come with a SIM card for remote tracking and updating. For example, one of the features of electronic ink plates is a notification that a vehicle is stolen and moved without the knowledge of its owner. In this case, the number may change to the inscription “Stolen” (“STOLEN”).

It is worth noting that Reviver digital plates began appearing on California roads back in 2017 as part of a pilot program. The company says that since the start of the program and until the official legalization of Rplate, about 10,000 numbers were put into use.

Because the license plate can be used to track vehicles, we were very interested in Reviver and started testing their mobile app.writes Curry.

After creating a new Reviver account, the researchers found that this account was given a unique JSON “company” object that allowed them to add sub-users. Several other JSON fields were also editable, including one that specified the account type as CONSUMER .

However, it was not possible to change the value to some other one right away, since other types of accounts could not be found in the mobile application code. Then Curry and his colleagues decided to go the other way and turned to the password reset URL used by Reviver.

We have noticed that the [password reset] site has many features, including the administration of vehicles, fleets and user accounts.the expert writes.

As it turned out, the JavaScript on the site contained a complete list of roles, and this allowed the researchers to change their account type to any other. They ended up gaining access to a role called REVIVER, with which the site’s user interface didn’t work properly. The researchers quickly figured out that this was an administrator account, not intended to interact with the user interface at all.

Using our super admin account with full authorization, we were able to perform any of the usual API calls (viewing the location of a car, updating license plates, adding new users to accounts) and any actions.writes Curry.

Worse, in addition to privilege escalation, the REVIVER role gave access to any dealership that handled digital numbers, allowing Curry to remotely change the default images from “DEALER” to anything else.

car numbers on e-ink

car numbers on e-ink

A real attacker could remotely update, track or even delete someone’s Reviver numbers.the specialist concluded.
Currently, all the problems discovered by researchers have already been fixed. In his report, Curry notes that the company fixed the vulnerabilities in “less than 24 hours.”
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button