A team of researchers managed to gain "super admin access" into Reviver, the company behind California's new digital license plates which launched last year.
An anonymous reader quotes a report from Motherboard:
A team of security researchers managed to gain "super administrative access" into Reviver, the company behind California's new digital license plates which launched last year. That access allowed them to track the physical GPS location of all Reviver customers and change a section of text at the bottom of the license plate designed for personalized messages to whatever they wished, according to a blog post from the researchers.
"An actual attacker could remotely update, track, or delete anyone's REVIVER plate."
Sam Curry, a bug bounty hunter, wrote in the blog post. Curry added that he and a group of friends started finding vulnerabilities across the automotive industry that included Reviver.
California launched the option to buy digital license plates in October. Reviver is the sole provider of these plates, and says that the plates are legal to drive nationwide, and "legal to purchase in a growing number of states."
In the blog post, Curry writes the researchers were interested in Reviver because the license plate's features meant it could be used to track vehicles. After digging around the app and then a Reviver website, the researchers found Reviver assigned different roles to user accounts. Those included "CONSUMER" and "CORPORATE."
Eventually, the researchers identified a role called "REVIVER," managed to change their account to it, which in turn granted them access to all sorts of data and capabilities, which included tracking the location of vehicles.
"We could take any of the normal API calls (viewing vehicle location, updating vehicle plates, adding new users to accounts) and perform the action using our super administrator account with full authorization."
"We could additionally access any dealer (e.g. Mercedes-Benz dealerships will often package REVIVER plates) and update the default image used by the dealer when the newly purchased vehicle still had DEALER tags."
Reviver told Motherboard in a statement that it patched the issues identified by the researchers:
"We are proud of our team's quick response, which patched our application in under 24 hours and took further measures to prevent this from occurring in the future. Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report. As part of our commitment to data security and privacy, we also used this opportunity to identify and implement additional safeguards to supplement our existing, significant protections."
"Cybersecurity is central to our mission to modernize the driving experience and we will continue to work with industry-leading professionals, tools, and systems to build and monitor our secure platforms for connected vehicles."