Anyone who’s grown up watching crime dramas or reading cheesy spy novels is probably familiar with this scene. A criminal in hot pursuit by police makes a sharp turn down a side street, jumps out the driver side door then quickly swaps out their license plates with a backup pair hiding in the trunk. The driver then flees the scene, passing by surveillance cameras and license plate detectors unnoticed.
Cybersecurity researchers at frim IOActive have demonstrated how a similar type of sleight of hand can potentially be performed in the real-world by hacking a popular brand of new digital driver’s license plates. By using a “fault injection” hardware attack, the researches have shown how a hacker could, hypothetically at least,essentially jailbreak a digital license display and replace the plate number with a custom message of the hacker’s choosing. Though the attack, reported on this week in Wired, requires considerable levels of access and determination to pull off, researchers say it could, in theory, allow a driver to avoid paying tolls or parking tickets, evade law enforcement, or even surreptitiously track another person’s movements using the plate’s internal GPS.
“If an attacker wants to modify the license plate of a victim for some particular reason, then the attacker, having the custom malicious firmware file, just needs to go to the vehicle, remove two screws, connect a cable, and install the malicious firmware on the plate,” IOActive Principal Security Consultant Josep Pi Rodriguez told Popular Science. “All these steps take fewer than five minutes.”
It’s worth noting this form of attack was uncovered by a cybersecurity firm actively searching for potential vulnerabilities. Popular Science found no evidence of such an attack having taken place yet in the real-world in media reports.
What are digital license plates?
Digital license plates, first introduced in 2018, replace standard metal or plastic license plates with an alterable digital display. These displays are often wired directly into the car and run off the car’s power source, though some also have their own battery power source. The changeable digital display lets drivers more quickly update the vehicle registration displayed on the plate and even display amber alerts and some approved advertising. The digital plates can also send out a signal when a vehicle is reported stolen to help law enforcement track it down. These newer plate alternatives are currently available for everyday passenger vehicles in three states—Arizona, California, and Michigan—and for commercial vehicles specifically in Texas. California-based Reviver is the largest manufacturer and has reportedly sold 65,000 plates in the US.
Though digital plates promise convenience, security researchers have previously worried they could similarly become enticing targets for hackers and other criminals. In this case, Rodriguez says he detached a Reviver digital plate and attached a cable to its connectors. He then used a fault injector technique, which hackers use to force a device to malfunction, by attaching wires to chips in the plate in order to monitor voltage and then glitch the voltage at key moments. That process reportedly switched off some of the plate’s security features. Rodriguez was able to then swap out the device’s firmware and remotely command it via Bluetooth with a phone app.
Once he had control over the plate, Rodriguez was able to switch out the digital display to show any character or image he wanted. An image of the compromised plate shared with Wired shows the phrase “HACKED BY IOACTIVE’ in place of a license plate number.
“With this new firmware created by IOActive, a malicious user can change the plate screen at will using a mobile app that connects over BLE [Bluetooth] to the plate,” Rodriguez wrote in research published earlier this year.
A Reviver spokesperson told Popular Science efforts to manipulate license plate numbers “are not new” and preceded the advent of digital displays.
“Objectively, manipulating standard metal plates is far easier than tampering with Reviver’s digital plates, which are designed with multiple layers of protection,” the spokesperson said. “By contrast, standard metal plates can be easily swapped, cloned, tracked, simulated, or tampered with.”
Privacy experts fear compromised digital plates could evade surveillance and track drivers
It’s not hard to see how switching license plates on the fly could pose a risk. Theoretically, a driver taking advantage of this attack could make up a false number to trick the toll booth camera or parking meter system to avoid paying. More consequently, a fake plate could also be used to trick AI-enabled license plate readers, which police around the country regularly use to identify and track potential criminal suspects. A bad actor could even take someone else’s real license plate number and apply it to their own digital plate to trick systems into thinking they are someone else. Rodriguez suggested a skilled hacker could even possibly connect a plate over a cellular network to a remote server and monitor the device’s onboard GPS to track a person’s movements. All of this, it’s worth noting, is very illegal.
It’s also, at least according to Reviver’s telling of things, not something drivers need to worry too much about. The spokesperson went on to say that the type of attack demonstrated by IOActive required physical access to a vehicle and specialized tools and expertise that combined make it “highly unlikely to occur” in the real world. The company claims those factors limit the types of people who could carry out such an attack to “individual bad actors knowingly violating laws and product warranties.” The spokesperson said Reviver customers also receive a notification alerting them anytime a plate has been removed or tampered with. In that scenario, the plate goes into “detached mode” and stops communicating with Reviver’s systems.
“These safeguards ensure that any tampering is instantly detected by both the plate owner and Reviver,” the spokesperson said.
The spokesperson also told Wired it’s planning to redesign newer plate models to no longer use the chips that were vulnerable to the fault injection. But that does not appear to address the potential vulnerability on plates that have already been sold. Rodriguez pushed back against some of Riviver’s reassurances. In theory, he said, a hacker could buy a jailbreaking tool like the one he designed and rewrite the firmware on targeted digital plates in just a few minutes and without much technical know-how.
“If the person who created the custom firmware published it on the internet, then the license plate users would just need to download the firmware file, connect a cable to the license plate and install it,” Rodriguez told Popular Science. “This is a similar process we see when people are jailbreaking their own smartphones to unlock them.”
“Almost any user could install a new custom firmware that is available on the internet,” he claimed.
Win the Holidays with PopSci’s Gift Guides
