Digital license plates, now available in an increasing number of states and approved for nationwide use, offer unique advantages over traditional metal plates. They allow customization, such as displaying novelty messages around the plate number or marking a vehicle as stolen.
However, a security researcher has demonstrated a troubling vulnerability: these plates can be hacked to alter license plate numbers at will, potentially avoiding fines, tolls, or even framing others for violations.
Josep Rodriguez, a security expert at IOActive, uncovered a method to “jailbreak” digital license plates made by Reviver, the leading U.S. provider with 65,000 units sold.
By peeling off a sticker on the back of the plate and connecting a cable to its internal components, Rodriguez could modify the plate’s firmware in just minutes.
Once modified, the hacked plate can be controlled via Bluetooth using a smartphone app, enabling the display to instantly show any characters or images.
Rodriguez highlights that this vulnerability in digital license plates could allow drivers to bypass systems reliant on license plate numbers for enforcement and monitoring. These include toll systems, speed and parking ticket cameras, and police automatic license plate readers used to track suspects.
“You can display anything on the screen, something users should never be able to do,” Rodriguez explains. “Think about evading a speed camera or avoiding detection if you’re a criminal on the run.”
Rodriguez warns that the risks go beyond altering a license plate number arbitrarily—it could be changed to match another vehicle’s number, transferring tolls and tickets to an unsuspecting driver. “Being able to switch the plate number at will can lead to serious problems,” he explains.
Beyond traffic-related exploits, a jailbroken plate could also bypass Reviver’s $29.99 monthly subscription fee, allowing users to access features for free.
The issue stems from a hardware vulnerability in Reviver’s chips, making a simple software update insufficient to fix it. Rodriguez notes that addressing the flaw would require replacing the chips in every plate, an impractical solution given the number of plates already in use.
As digital license plates gain traction nationwide, he emphasizes the importance of policymakers and law enforcement understanding this weakness.
“This is a significant issue,” Rodriguez states. “With thousands of plates affected, resolving it would mean replacing hardware entirely.”
IOActive claims it made multiple attempts to inform Reviver about the vulnerability over the past year, even involving the US CERT, a federal cybersecurity team, to relay the findings. However, Reviver stated it only became aware of IOActive’s research when contacted by WIRED last week.
In response, Reviver emphasized that tampering with a digital license plate to evade enforcement would constitute a criminal act.
The company added that jailbreaking their plates would require physical access, removal of the plate, specialized tools, and expertise, making it an unlikely scenario limited to isolated, intentional misconduct.
Reviver also revealed plans to redesign its plates to eliminate reliance on the vulnerable chip identified by Rodriguez.
Rodriguez, however, disputes the claim that jailbreaking demands advanced tools or knowledge.
While his initial research involved a complex fault-injection method—connecting wires to the plate’s chip, monitoring voltage, and temporarily disrupting it to disable security features—he later developed a simpler jailbreak tool.
This tool, based on his findings, eliminates much of the technical difficulty, making the process more accessible than Reviver suggests.
Rodriguez warns that if his jailbreak tool were to leak or be sold online (though he has no intention of publishing it), anyone could use it to jailbreak their digital license plate within minutes. “It’s as simple as connecting a cable and installing the new firmware, much like jailbreaking an iPhone,” he explains.
Beyond personal use, Rodriguez highlights the potential for malicious actors to target unsuspecting license plate owners.
If a hacker, valet, or mechanic were able to remove a plate and install custom firmware, they could remotely change the license plate number by programming the plate to connect to a server they control.
However, executing such a hack is not without challenges. The saboteur would need to physically access the plate and have the time to modify it. Additionally, Reviver’s plates send a notification to the owner if the plate is detached from the vehicle.
To bypass this, an attacker would have to jam the plate’s radio signal while tampering with it, adding another layer of difficulty to the attack—though not making it entirely impossible.
Rodriguez isn’t the first to expose vulnerabilities in Reviver’s systems. In 2022, security researcher Sam Curry discovered weaknesses in the company’s web infrastructure, allowing him to gain administrator access to its backend database.
This gave him the ability to track or change license plates at will. However, Reviver quickly patched these web-based bugs, preventing Curry’s method from being exploited.
While Curry’s web hacking technique was easier to execute before the patch, he believes Rodriguez’s hardware-based method could appeal to certain drivers looking to exploit digital license plates.
“If you want to switch your license plate number like a secret agent, drive at high speeds, and then change it back without stopping, this method would be ideal,” Curry says. “People causing chaos on the road would likely be interested in this.”
Currently, digital license plates are legal in California and Arizona, with Michigan briefly allowing them as well. As more states move toward legalizing these plates, both Rodriguez and Curry caution that any system relying solely on license plates for identification may be vulnerable to hacking, with potentially disruptive outcomes.
“You have to expect people will tamper with them,” Curry warns. “We all need to consider the consequences of that.”
Stories You May Like