California’s multi-year mission to legalize digital car tags became a reality in October of 2022.  Proponents of this endeavor claim modernizing license plates will offer several benefits to drivers, like monitoring, safety features, and an in-app method of renewing your registration.

However, security experts have strenuously cautioned that connecting one’s license plate to the internet leaves it vulnerable to digital hacking and other attacks.  And now, the inevitable has come to pass.

In a recent blog post, bug hunter and security researcher Sam Curry stated the he and his friends managed to attain “full super administrative access” to all of the user accounts linked to Reviver, the company responsible for selling California’s modernized plates.

Reviver sells the RPlate, a “smart plate” that’s essentially a battery-powered digital display that’s attached to a vehicle’s back end and projects the car’s information.  The app comes with several safety features, monitoring capabilities, and also allows the user to share different graphics and words on the plate.  The cost, according to Reviver’s website, is $20 a month.

Curry and his friends explored Reviver’s app and investigated its website, and were able to identify a vulnerability that allowed them to gain full admin access to “all user accounts and vehicles for all Reviver connected vehicles.”  With that access, they found they could track the GPS location of every single registered user, change data on the users’ plates, and even report specific vehicles as stolen due to an in-app feature Reviver provides allowing stolen cars to be reported to the authorities.

“An actual attacker could remotely update, track, or delete anyone’s REVIVER plate,” Curry writes. “We could additionally access any dealer (e.g. Mercedes-Benz dealerships will often package REVIVER plates) and update the default image used by the dealer when the newly purchased vehicle still had DEALER tags.”

In a statement provided to Motherboard, Reviver admitted that the software vulnerabilities had been patched that allowed the invasion to take place.

The statement reads, in part:  “We are proud of our team’s quick response, which patched our application in under 24 hours and took further measures to prevent this from occurring in the future. Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report.”

The moral of this story is simple:  Metal plates tell no tales.

Story via Gizmodo.com