The “Internet of Things” (IoT) is a tech industry term that sounds innocuous, but its existence has some serious implications for our security and privacy. IoT devices are ordinary objects or appliances with embedded sensors, computer processors, and communication modules — WiFi-connected cars, smart picture frames, internet-connected thermostats, and so on. These devices offer some conveniences, but they’ve also become more invasive and prone to security vulnerabilities. You might be concerned about someone hacking your computer or phone, but you probably hadn’t thought about someone hacking your smart fridge. A powerful example of this comes from California, where new digital license plates — promoted as an optional upgrade — were legalized by Governor Gavin Newsom in October 2022. A few months after release, California’s electronic license plate system has already been hacked, allowing hackers to track GPS location, access the owner’s personal info, change text on the plate, and more. They could even flag the vehicle as stolen, which could prompt police to conduct a high-intensity felony stop.
The Electronic License Plate Hack
Above: Reviver’s product page touts “control in the palm of your hand” by using the mobile app to customize your RPlate.
Luckily, the hackers in this case were benevolent “white hats” who had no intention of using this vulnerability to cause chaos. Instead, they immediately reported the vulnerability (likely for a large cash bounty) to Reviver, the company that sells and manages the new RPlate electronic license plates. Reviver reportedly patched the flaw within 24 hours. After an internal investigation, the company claimed that it had never been used maliciously and that no user data had been leaked to the public.
Above: This privacy promise from Reviver seems rather ironic given the recent cybersecurity revelations.
Even though a cybersecurity disaster was narrowly averted in this case, it’s certainly concerning to learn how serious the vulnerability was. Security researcher Sam Curry explained that a Javascript flaw in Reviver’s web site allowed his team to switch their account access level from that of a standard user to a “super administrator.” Once they had admin access, they could…
Access personal information of any electronic plate owner, including vehicles owned, physical address, phone number, and email address
Remotely track the GPS location of any electronic license plate
Delete license plates from the system
Add new license plates to the system
Replace the dealer logo on temporary tags for new cars
Change the custom text line at the bottom of the plate
Update the status of any electronic plate to “STOLEN,” which might potentially lead police to stop the driver at gunpoint
Above: Under normal circumstances, the ability to mark a plate as “STOLEN” instantly might seem beneficial. In this case, it almost became a huge safety issue.
A Growing Cybersecurity Problem
This isn’t even close to the only serious vulnerability documented by Sam Curry in his blog post, Web Hackers vs. The Auto Industry. He also showed web backdoors that affected a staggering list of automakers, including Kia, Hyundai, Honda, Toyota, Infiniti, Nissan, Acura, Ford, Mercedes-Benz, BMW, Porsche, and even Ferrari. Many of these included the ability to “remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk” using only the vehicle’s publicly-visible VIN number.
In the past, hackers have also demonstrated the ability to remotely turn off vehicles that are already in motion, which could lead to a serious crash.
Auto industry aside, the state of California is no stranger to glaring cybersecurity vulnerabilities. Last summer, the CA Department of Justice confirmed that the personal data of everyone who was granted or denied a concealed-carry weapon permit between 2011 and 2021 had been leaked. This info included “names, date of birth, gender, race, driver’s license number, addresses, and criminal history.” This leak affected nearly a quarter-million Californians, including judges and police officers, possibly making these individuals a target for home invasion robberies and other crimes.
Talk is Cheap
In almost every case, the affected companies or governing bodies have been quick to apologize and assure everyone it was an isolated incident. But it’s clear that these hacks will continue happening unless those responsible for our data spend the time and money to make cybersecurity a much higher priority.
In the mean time, we encourage you to weigh the pros and cons carefully before adding more IoT smart devices to your home (or garage).
Related Posts
iPhone 14 Adds Satellite SOS and Crash Detection FeaturesThis week, Apple announced some new emergency preparedness capabilities for the iPhone 14: automatic car crash detection and satellite SOS.Letter from the Editor: Glitches in the MatrixToday, we live under an ever-increasing burden of technology. It seems as if, everywhere we turn, it plays a greater role in our daily lives.Kia Boys: The Growing Trend of Kia & Hyundai TheftsA series of TikTok videos from a group of “Kia Boys” car thieves in Milwaukee has escalated to a nationwide surge of Kia and Hyundai thefts.The Unfriendly Skies: Chinese Combat Drones in the Libyan Civil WarBANG — the money shot. Right in the living room. Sprayed by plaster and coughing up dust, the soldiers finally decide we should leave.New: Midland MXPW Portable Radio Base StationsThe new Midland MXPW series takes existing Midland mobile GMRS radios and integrates them into portable and durable metal ammo cans.Preparedness Lessons Learned from the Invasion of UkraineAs preparedness-minded individuals, there’s much we can learn from the ongoing conflict in Ukraine. Take a moment to consider these lessons.Digital Profiling: How Much Does Google Know About You?Reviewing your personalized digital profile in Google’s “My Ad Center” should make you reconsider how much privacy you actually have online.DIY Drone Drop: How to Deliver Payloads with a Consumer DroneKnowing how to deliver payloads with your consumer drone can be a valuable skill. Read on as we explain the basics of drone drops.Worok: Powerful Malware Hidden in PNG ImagesWorok hackers used a process called LSB (least significant bit) encoding to embed small chunks of malicious code into a PNG image’s pixels.
The post California’s Electronic License Plate System Just Got Hacked appeared first on RECOIL OFFGRID.
