Digital license plates, a modern innovation designed to replace traditional metal plates, have been gaining traction due to their customizable features and enhanced functionalities. However, a recent discovery by cybersecurity researcher Josep Rodriguez has exposed a significant flaw in these plates, particularly those sold by Reviver, a leading U.S. vendor. This vulnerability allows hackers to tamper with digital plates, raising serious concerns about the potential for criminal misuse and its impact on road safety and law enforcement.
The Appeal and Risks of Digital License Plates
Digital license plates offer numerous advantages over their traditional counterparts. With the ability to change the displayed message, users can customize the plate with novelty text or use it to indicate that a vehicle has been stolen. Their sleek design, combined with smartphone integration, has made them increasingly popular. However, these plates are not without their risks. Rodriguez, a security researcher at IOActive, demonstrated how digital plates can be “jailbroken,” allowing hackers to alter the displayed license number or even change it entirely to evade traffic enforcement.
Rodriguez discovered that by removing a small sticker on the back of the plate and attaching a cable to its internal connectors, the firmware could be rewritten in just minutes. Once modified, the plate could be controlled via Bluetooth, enabling users to change the license plate number or assign fines to other drivers.
“You can display whatever you want on the screen,” said Rodriguez. “This could allow someone to avoid speeding tickets or shift penalties to innocent drivers. The consequences could be severe.”
Exploiting the Vulnerability for Criminal Gain
The ability to manipulate a license plate number opens the door for dangerous misuse. Criminals could exploit this vulnerability to evade law enforcement, avoid tolls, or frame other drivers for violations. In addition, Rodriguez noted that jailbreaking these plates could bypass Reviver’s monthly subscription fee, granting continued access to premium features such as GPS tracking.
Unfortunately, the root of the problem lies in the hardware itself. The flaw is embedded in the chips used by Reviver, which means it cannot be fixed with a simple software update. Addressing this issue would require replacing the defective chips in all affected plates, a costly and time-consuming task. As digital license plates become more widespread, this vulnerability poses a growing challenge for law enforcement and traffic regulators.
“This is a nationwide issue,” Rodriguez explained. “Fixing it would require replacing thousands of plates, which is simply not feasible.”
Reviver Responds: Acknowledging the Issue
Despite repeated efforts by IOActive to alert Reviver and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about the vulnerability, the company only became aware of the issue after being contacted by WIRED. In its official statement, Reviver condemned any tampering with digital plates, labeling it a criminal act. The company claimed that jailbreaking these plates would require physical access, specialized tools, and expert knowledge, making such incidents rare.
Reviver also revealed plans to redesign its plates with more secure chips in future models. However, Rodriguez disputed the company’s claim that jailbreaking the plates would require specialized tools, explaining that once the firmware is reverse-engineered, the process becomes simple. “Anyone with the right tool could do this in minutes,” he added, comparing it to jailbreaking a smartphone.
The Risks of Widespread Abuse
While Rodriguez has chosen not to release his jailbreak tool to the public, he warned that if such a tool were to be made available, it could lead to widespread abuse. Drivers could acquire pre-jailbroken plates or use hacking tools to alter their own plates, undermining traffic enforcement systems that rely on accurate license plate identification.
“If someone were to hack your plate without your knowledge, like a mechanic or valet, they could track your movements or assign fines to you,” Rodriguez warned. Although Reviver’s plates do notify owners when removed, a hacker could circumvent this by jamming the plate’s communication signals, adding an additional layer of risk.
Previous Breaches and Growing Concerns
This isn’t the first time Reviver’s security systems have been called into question. In 2022, security researcher Sam Curry discovered vulnerabilities in the company’s web infrastructure that allowed him to alter license plate data. Unlike Rodriguez’s hardware hack, Reviver was able to address the web-based flaw relatively quickly. However, Curry noted that Rodriguez’s hardware method is likely to appeal to those seeking to bypass detection or penalties.
“People who want to cause trouble on the road would find this hack attractive,” Curry said. “Imagine switching your plate number and speeding through cameras, only to change it back without ever stopping.”
A Wake-Up Call for Digital Plate Regulation
Currently, digital license plates are legal in a handful of states, including California and Arizona, with other states considering their adoption. As the technology becomes more widespread, experts like Rodriguez and Curry stress the importance of addressing potential security vulnerabilities. Regulatory bodies, manufacturers, and law enforcement agencies must work together to ensure that digital plates are secure and that systems relying on them are not easily exploited.
“People will always find ways to hack these systems,” Curry warned. “It’s crucial to recognize these risks before they spiral out of control.”