الثلاثاء، 10 يناير 2023

California’s New Digital License Plates Get Hacked

Late last year, California became only the third state in the US to allow digital license plates. The fancy customizable plates are only available from a company called Reviver, which charges users $20 to $25 per month. At the time, Reviver swore that the DMV-certified cloud service backing the plates was entirely secure, but now we know differently. A team of security researchers hacking around in the automotive industry was able to easily gain access to Reviver’s system, revealing the real-time GPS location of all vehicles.

According to security buff Sam Curry, he became interested in Reviver because the nature of its product meant that it had location data on all subscribers. The digital license plates come in wired and wireless versions, both of which have a low-power LTE radio to remain connected to the company’s servers. That’s how users can change their plate’s custom text or mark the vehicle as stolen.

The researchers started by scanning the HTTP traffic to see where the API traffic was routed. After creating a Reviver account, the team found their new user was assigned a unique JSON object that marked it as a “CONSUMER” account. The app did not allow changing the type field, but it turns out the website did allow changing account types via JavaScript.

At first, they only managed to switch to a “CORPORATE” account, which would allow managing a fleet of vehicles. After some trial and error, the researchers discovered the “REVIVER_ROLE” account type. After updating the test account to that, they found all API calls, including vehicle location and changing the plate text, were accessible. They could even access the data for dealers like Mercedes-Benz that bundle Reviver plates, allowing them to change the default image on the dealer plates.

At this point, the team disclosed the security hole to Reviver, which to its credit, patched the issue in 24 hours. Reviver released a statement on the incident, saying it has investigated and confirmed no third parties had used the vulnerability to steal user data. Still, the relative ease with which a handful of security researchers were able to completely compromise the company’s systems could rightfully make drivers wary of signing up for the new digital plates. Sure, this flaw has been patched, but are there more, and is it worth the risk just to have a digital license plate with a line of custom text at the bottom?

Now read:



sourse ExtremeTechExtremeTech https://ift.tt/hG1ONIe

ليست هناك تعليقات:

إرسال تعليق