Security
Headlines
HeadlinesLatestCVEs

Headline

Hackers Can Jailbreak Digital License Plates to Make Others Pay Their Tolls and Tickets

Digital license plates sold by Reviver, already legal to buy in some states and drive with nationwide, can be hacked by their owners to evade traffic regulations or even law enforcement surveillance.

Wired
#vulnerability#web#git

Digital license plates, already legal to buy in a growing number of states and to drive with nationwide, offer a few perks over their sheet metal predecessors. You can change their display on the fly to frame your plate number with novelty messages, for instance, or to flag that your car has been stolen. Now one security researcher has shown how they can also be hacked to enable a less benign feature: changing a car’s license plate number at will to avoid traffic tickets and tolls—or even pin them on someone else.

Josep Rodriguez, a researcher at security firm IOActive, has revealed a technique to “jailbreak” digital license plates sold by Reviver, the leading vendor of those plates in the US with 65,000 plates already sold. By removing a sticker on the back of the plate and attaching a cable to its internal connectors, he’s able to rewrite a Reviver plate’s firmware in a matter of minutes. Then, with that custom firmware installed, the jailbroken license plate can receive commands via Bluetooth from a smartphone app to instantly change its display to show any characters or image.

That susceptibility to jailbreaking, Rodriguez points out, could let drivers with the license plates evade any system that depends on license plate numbers for enforcement or surveillance, from tolls to speeding and parking tickets to automatic license plate readers that police use to track criminal suspects. “You can put whatever you want on the screen, which users are not supposed to be able to do,” says Rodriguez. “Imagine you are going through a speed camera or if you are a criminal and you don’t want to get caught."

One of Reviver’s license plates, jailbroken to show any image IOActive researcher Josep Rodriguez chooses.

Photography: IOActive

Worse still, Rodriguez points out that a jailbroken license plate can be changed not just to an arbitrary number but also to the number of another vehicle—whose driver would then receive the malicious user’s tickets and toll bills. “If you can change the license plate number whenever you want, you can cause some real problems,” Rodriguez says.

All traffic-related mischief aside, Rodriguez also notes that jailbreaking the plates could also allow drivers to use the plates’ features, including its built-in GPS tracking, without paying Reviver’s $29.99 monthly subscription fee.

Because the vulnerability that allowed him to rewrite the plates’ firmware exists at the hardware level—in Reviver’s chips themselves—Rodriguez says there’s no way for Reviver to patch the issue with a mere software update. Instead, it would have to replace those chips in each display. That means the company’s license plates are very likely to remain vulnerable despite Rodriguez’s warning—a fact, Rodriguez says, that transport policymakers and law enforcement should be aware of as digital license plates roll out across the country. “It’s a big problem because now you have thousands of licensed plates with this issue, and you would need to change the hardware to fix it,” he says.

IOActive says it repeatedly tried to contact Reviver about its findings over the past year, going so far as to describe its findings to US CERT, which then also tried to contact Reviver about the problem. Nonetheless, Reviver told WIRED that it only became aware of IOActive’s jailbreaking research when WIRED reached out to the company last week.

In a statement, the company noted that jailbreaking a digital license plate to avoid tolls, tickets, or other law enforcement surveillance “would be a criminal act subject to prosecution by law enforcement.” The company adds that “the jailbreak technique identified by IOActive requires physical access to the vehicle and plate, plate removal, specialized tools, and expertise” and that “this scenario is highly unlikely to occur in real-world conditions, limiting it to individual bad actors knowingly violating laws and product warranties.” Reviver says it’s also redesigning its license plates to avoid using chips vulnerable to Rodriguez’s hacking technique in the future.

While Rodriguez agrees that jailbreaking a Reviver plate would require removing it from a vehicle, he disputes Reviver’s claim that it would require “specialized tools” or “expertise.” To develop his jailbreaking method, he did use a fault-injection technique that required attaching wires to the plates’ internal chip, monitoring its voltage, and “glitching” that voltage at a specific moment to switch off its security features and gain the ability to analyze and rewrite its firmware. But once that reverse engineering process was complete, he used its results to develop a jailbreak tool that requires none of that technical complexity.

If that tool were to leak or be sold online—Rodriguez himself says he doesn’t plan to publish his—he says anyone could use it to jailbreak their own plate in a matter of minutes. “They just need to connect a cable and install the new firmware, just like if you were jailbreaking your iPhone,” Rodriguez says.

Rodriguez also notes that his hacking technique could be used not just by a driver who wants to jailbreak their own plate, but also by someone targeting an unwitting owner of a plate too. If a hacker—or a parking valet or auto mechanic—could manage to remove a license plate and install their own firmware on it, Rodriguez warns, they could surreptitiously track a driver or even change their license plate number over the internet by programming the plate to connect to a server the hacker controlled.

In addition to the physical access and time necessary to pull off that hack, however, a license plate saboteur would also need to overcome a feature of Reviver’s plates that sends a notification to the owner when it’s detached from a vehicle. That would require jamming the plate’s radio communications while tampering with it, Rodriguez notes, an added wrinkle that makes the attack even less practical, though perhaps not impossible.

Rodriguez isn’t the first to hack Reviver’s systems. In 2022, security researcher Sam Curry found vulnerabilities in the company’s web infrastructure that allowed him to make himself an administrator in its backend database, with the ability to track or change license plates at will. Unlike Rodriguez’s hardware hacking, however, Reviver was able to quickly patch its web-based bugs to prevent Curry’s technique.

Although Curry’s web hacking method was far easier to pull off prior to Reviver’s patch than Rodriguez’s hardware hacking, he says that Rodriguez’s method would likely hold real appeal for certain scofflaw drivers, who might want to jailbreak their Reviver plates or simply buy pre-jailbroken plates online. “If you want to swap your license plate number, James Bond style, then drive at crazy speeds or something, you can change it for a few hours and change it back without even pulling into a parking garage,” says Curry. “The people who are causing havoc on the road would probably be into this.”

Digital license plates are currently legal to buy and register in California and Arizona (Michigan also briefly allowed them), with many more states considering legalizing them in years to come. As that rollout continues, Rodriguez and Curry argue that license plate makers, transit regulators, and law enforcement all need to be aware that any system that relies solely on license plates as an identifier may be susceptible to digital license plate hacking—with potentially chaotic consequences.

“You should assume people will mess with them,” says Curry. “And people need to accept the implications of that.”

Updated 12:48 pm EST, December 16, 2024: Clarified Michigan’s policy on digital license plates.

Wired: Latest News

Stop Calling Online Scams ‘Pig Butchering,’ Interpol Warns