Digital license plates, which are already legal to purchase and drive nationwide in a growing number of states, offer a few advantages over their sheet metal predecessors. You can change its appearance in an instant, so you can, for example, frame your license plate with novelty messages, or indicate that your car has been stolen. Now a security researcher has shown how they can also be hacked to enable a less innocent function: changing a car's license plate at will to avoid traffic fines and tolls – or even pin them to someone else.
Josep Rodriguez, a researcher at security firm IOActive, has unveiled a technique to “jailbreak” digital license plates sold by Reviver, the largest supplier of those license plates in the US with 65,000 plates already sold. By removing a sticker on the back of the plate and attaching a cable to the internal connectors, he can rewrite the firmware of a Reviver plate in minutes. Then, with that custom firmware installed, the jailbroken license plate can receive commands from a smartphone app via Bluetooth to instantly change its display to show characters or images.
That susceptibility to jailbreaking, Rodriguez points out, could allow drivers with license plates to bypass any system that relies on license plate numbers for enforcement or surveillance, from tolls to speeding and parking fines to automatic license plate readers that police use to track criminal suspects . “You can put whatever you want on the screen, which users are not allowed to do,” says Rodriguez. “Imagine driving through a speed camera or being a criminal and not wanting to get caught.”
Worse still, Rodriguez points out that a jailbroken license plate can be changed not only to any number, but also to the number of another vehicle, whose driver would then receive the malicious user's tickets and toll bills. “If you can change the license plate whenever you want, you can cause real problems,” Rodriguez said.
All traffic-related mischief aside, Rodriguez also notes that jailbreaking the license plates could also allow drivers to use the license plates' features, including built-in GPS tracking, without paying Reviver's $29.99 monthly subscription fee.
Because the vulnerability that allowed him to rewrite the boards' firmware is at the hardware level (in Reviver's chips themselves), Rodriguez says there's no way Reviver can fix the problem with just a software update. Instead, these chips would have to be replaced in every display. That means the company's license plates will most likely remain vulnerable despite Rodriguez's warning — a fact, Rodriguez says, that transportation policymakers and law enforcement agencies should be aware of as digital license plates are rolled out across the country. “It's a big problem because now you have thousands of license plates with this problem, and you would have to change the hardware to solve the problem,” he says.