How to track equipped cars via exploitable e-ink platemaker

California's street-legal ink license plates only received a nod from the US government in October, but reverse engineers have already discovered vulnerabilities in the system allowing them to track each plate, reprogram them or even delete them at a whim.

In a blog post by security researcher Sam Curry, he describes a project targeting digital license plate maker Reviver put together with some friends, among several other automotive security experiments.

The system of Reviver, maker of the only commercially available digital license plate on the market and the company behind the push for E Ink plate legalization in California, caught Curry and his friends' attention because it included internal tracking tools for its plates.

"Since the license plate could be used to track vehicles, we were super interested in Reviver and began auditing the mobile app," Curry said.

Reviver plates began showing up on California roads in 2017 as part of a pilot program. Reviver said it deployed around 10,000 of them from 2017 until the pilot program was ended ahead of legalization.

One feature of the e-ink plates would be to notify owners if the vehicle was moved without their knowledge. If so, the plate could be changed to read STOLEN.

After a bit more digging and creation of a new Reviver account, Curry and friends found that their account was assigned a unique "company" JSON object that allowed them to add sub-users to their account. 

Interestingly enough, several of the other JSON fields in the company object were also editable, including one that defined the account type as "CONSUMER." Other account types were unlisted in the mobile app, and so Curry and co turned to Reviver's password reset URL.

"We observed that the [password reset] website had tons of functionality including the ability to administer vehicles, fleets, and user accounts," Curry said.

JavaScript on the site also contained a full list of other roles, and the crew found they were able to edit their account type to be any they desired.

Curry and friends ultimately gained access to a role called REVIVER, which broke the password reset site's UI, cluing them in that it might actually be an administrator account not designed to interact with the consumer interface. 

That turned out to be the case. 

"We could take any of the normal API calls (viewing vehicle location, updating vehicle plates, adding new users to accounts) and perform the action using our super administrator account with full authorization," Curry said. The site also gave them access to fleet management functionality.

Trolling was also a possibility with the permissions Curry found he could grant himself. The REVIVER role aditionally granted access to any dealership that packaged the plates, allowing Curry to change the default images from DEALER to, well, whatever inappropriate phrase would fit.

Along with elevating the permissions on the account used in the experiment, Curry said the company role object, which gives permission to invite sub-users, allowed him to invite others with elevated permissions.

"An actual attacker could remotely update, track, or delete anyone's REVIVER plate," Curry said. 

• OK, boomer? Gen-X-ers, elder millennials most likely to name their cars, says DVLA
• 0ops. 1,OOO-plus parking fine refunds ordered after drivers typed 'O' instead of '0'
• Australian state adds AI number plate readers to GPS tracking of corona-quarantine busters
• Port of Hamburg to pave its roads with Cisco things

The vulnerability was reported to Reviver, which Curry said patched it "in under 24 hours."

The company confirmed this, telling The Register: "We are proud of our team's quick response," adding: "Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report."

Reviver plates are street legal in California, Arizona and Michigan, and in the state of Texas for commercial vehicles only. Several other states are piloting the technology; at between $800 and nearly $1,000 for a two-year contract, hopefully Reviver is a bit more secure now than at launch. ®