License Plate Hacking: Security Researcher Exposes Vulnerability in Digital Plates
A security researcher has uncovered a vulnerability in digital license plates, which are increasingly being adopted in the United States. According to the researcher, exploiting this flaw allows tampering with the displayed license numbers, potentially enabling evasion of fines or framing other drivers.
Josep Rodriguez of IOActive discovered a method to hack digital plates produced by Reviver, a market leader with 65,000 units sold. The hack involves reprogramming the device via internal connectors, a process that takes mere minutes. Using a Bluetooth-enabled application, one can then alter the displayed license number at will.
The expert warns that this vulnerability poses a significant risk to systems relying on license plate recognition. Drivers could bypass speeding fines, evade unpaid parking fees, or avoid toll payments. Additionally, malicious actors might frame innocent drivers by programming their registration details onto another vehicle’s plate.
Rodriguez emphasized that this issue cannot be resolved through a software update, as it stems from the device’s hardware design. Addressing the flaw would necessitate replacing chips in all affected units. He described the vulnerability as systemic, urging regulators and law enforcement to take action.
Reviver stated that tampering with digital plates to evade penalties or law enforcement constitutes a criminal offense. The company argued that such an act requires physical access to the vehicle, specialized tools, and expertise, making it unlikely in real-world scenarios. Furthermore, Reviver is developing a new generation of devices featuring more secure chips.
However, Rodriguez contends that the hack is neither complex nor tool-intensive. Following an initial analysis, he devised a method that enables exploitation in minutes by simply connecting a cable to the plate. He likened the process to jailbreaking a smartphone.
The researcher also highlighted that the hack could be executed not only by the plate’s owner but also by third parties. For instance, a mechanic or valet could discreetly reprogram the device to track the car’s movements or remotely alter its license number.
Despite additional security measures, such as notifications triggered when a plate is removed, Rodriguez believes attackers could bypass these safeguards by jamming radio signals. Although this scenario is less likely, he does not rule it out entirely.
Digital license plates are currently approved for use in California and Arizona, with other states considering legalization. Experts caution that widespread adoption of these devices could lead to abuse unless manufacturers and regulators implement robust security measures.