White Hat Takes Control of Smart California License Plates with New Hack

Mere months after California legalized customizable, 5G-powered smart license plates, a hacker has found ways to take control of them and cause all sorts of mischief - in the name of science.

White hat hacker Sam Curry reveals in a blog post how he and his nerdy pals got full access to every account on the network of Reviver - the only company vetted by the state of California to sell the digital plates.

The battery-powered plates have 5G connectivity and allow users to customize the graphics and wording on the plates, including to report a stolen vehicle and display the sign STOLEN.

The device can also track a vehicle’s whereabouts to track mileage on zero-emission vehicles and apply for low-carbon fuel standard credits from the state.

While the invention sounds promising, the tables are turned when hackers apply their tricks to it.

With remote access to the plates, Curry and his hacking crew were able to:

• Track the physical GPS location and manage the license plates for all Reviver customers (e.g. changing the slogan at the bottom of the license plate to arbitrary text)
  
• Change any vehicle status to “STOLEN,” which updates the license plate and informs authorities
  
• Access all user records, including which vehicles people owned, their physical address, phone number, and email address
  
• Access the fleet management functionality for any company, and locate and manage all vehicles in a fleet

Curry reached out to Reviver with his findings before publishing the research. The vendor quickly applied patches, telling Motherboard:

“Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report. As part of our commitment to data security and privacy, we also used this opportunity to identify and implement additional safeguards to supplement our existing, significant protections.”

In light of this development, Reviver said cybersecurity remains a central aspect of its mission to modernize the driving experience, pledging to work with experts to better secure its products.