Full Report
Digital license plates sold by Reviver, already legal to buy in some states and drive with nationwide, can be hacked by their owners to evade traffic regulations or even law enforcement surveillance.
Analysis Summary
# Vulnerability: Hardware-Level Firmware Modification of Reviver Digital License Plates
## CVE Details
- CVE ID: Not explicitly assigned in the provided text. (A hardware/firmware vulnerability of this nature often warrants a specific CVE.)
- CVSS Score: Not specified in the provided text. Severity is implied to be High due to the potential for criminal evasion and spoofing.
- CWE: Likely related to Improper Access Control or Insecure Firmware Update Mechanisms if the flaw is viewed through a software lens, but fundamentally a **Hardware Security Failure** due to physical access requirement for the initial root compromise.
## Affected Systems
- Products: Reviver Digital License Plates (Leading vendor in the US).
- Versions: Implied to affect hardware versions susceptible to the described fault-injection technique described by the researcher.
- Configurations: Any deployed Reviver plate lacking hardware countermeasures against physical firmware rewriting.
## Vulnerability Description
A researcher demonstrated that Reviver digital license plates can be "jailbroken" via physical access to the device's internal connectors. By removing a sticker and attaching a cable, the researcher used a fault-injection technique (monitoring voltage and "glitching" it at a specific moment) to bypass security features and gain the ability to analyze and rewrite the plate's firmware. Once this initial complex step is completed, a simplified tool can allegedly be used to instantly change the displayed license plate number or image via Bluetooth commands from a smartphone.
## Exploitation
- Status: PoC available (Researcher demonstrated the technique). Not stated as exploited in the wild, but the researcher developed a simplified follow-up tool.
- Complexity: Initial exploitation (fault injection) is **Medium/High** requiring physical access, timing-sensitive methods, and reverse engineering. Subsequent exploitation using the derived tool is stated to be **Low**—"just need to connect a cable and install the new firmware, just like if you were jailbreaking your iPhone."
- Attack Vector: **Adjacent** (Requires physical access/removal of the plate).
- Impact:
- **Confidentiality:** Moderate (Potential for remote tracking if a malicious actor replaces the firmware to control the plate's GPS).
- **Integrity:** High (Ability to completely spoof the vehicle identification number displayed on the plate, evading tolls, tickets, and potentially framing other vehicles/suspects).
- **Availability:** Low (The plate remains functional, but its integrity as an official identifier is compromised).
## Remediation
### Patches
- **No viable software patch exists.** The vulnerability is rooted at the hardware/chip level. Reviver would need to replace the physical chips in the deployed units to fully mitigate this specific hardware flaw.
### Workarounds
1. **Physical Security:** Drivers must ensure the plate is secured against unauthorized physical removal or tampering. (Note: The plate sends a notification upon detachment, which would need to be jammed to perform the hack undetected.)
2. **Sticker Replacement/Tamper Evidence:** While insufficient alone, ensuring the tamper-evident sticker is intact may deter casual tampering attempts.
3. **Law Enforcement Awareness:** Policymakers and enforcing agencies should be aware that license plate readers (ALPRs) may be provided inaccurate data.
## Detection
- **Indicators of Compromise (IoCs):** Unexpected behavior changes, novelty messages appearing, or sudden changes in plate numbers when no authorized modification was scheduled.
- **Detection Methods and Tools:** Standard ALPRs only record what is displayed. Detection relies on identifying evidence of physical tampering (e.g., damaged housing, missing stickers) or monitoring for abnormal command/connection patterns if the plate leaks subsequent communication data. No specific automated detection method described for identifying the underlying firmware alteration.
## References
- Vendor advisory: Reviver has acknowledged the research but has not suggested a hardware replacement plan as of the article date.
- Relevant links:
- WIRED article discussion (URL defanged): https://www.wired.com/story/digital-license-plates/
- Previous Reviver web infrastructure vulnerability report (URL defanged): https://samcurry.net/web-hackers-vs-the-auto-industry#5-mass-assignment-on-reviver-allows-an-attacker-to-remotely-track-and-overwrite-the-virtual-license-plates-for-all-reviver-customers-track-and-administrate-reviver-fleets-and-access-modify-and-delete-all-user-information