Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
A team of security researchers managed to gain “super administrative access” into Reviver, the company behind California’s new digital license plates which launched last year. That access allowed them to track the physical GPS location of all Reviver customers and change a section of text at the bottom of the license plate designed for personalized messages to whatever they wished, according to a blog post from the researchers.
“An actual attacker could remotely update, track, or delete anyone’s REVIVER plate,” Sam Curry, a bug bounty hunter, wrote in the blog post. Curry wrote that he and a group of friends started finding vulnerabilities across the automotive industry. That included Reviver.
Do you know any other cases of exposed location data? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com.
California launched the option to buy digital license plates in October. Reviver is the sole provider of these plates, and says that the plates are legal to drive nationwide, and “legal to purchase in a growing number of states.”
Customers can pay between $20 and $25 a month for a battery or wired powered version of the plate, according to Reviver’s website. The plates have around a 5 year