Hacking Digital License Plates

Not everything needs to be digital and “smart.” License plates, for example:

Josep Rodriguez, a researcher at security firm IOActive, has revealed a technique to “jailbreak” digital license plates sold by Reviver, the leading vendor of those plates in the US with 65,000 plates already sold. By removing a sticker on the back of the plate and attaching a cable to its internal connectors, he’s able to rewrite a Reviver plate’s firmware in a matter of minutes. Then, with that custom firmware installed, the jailbroken license plate can receive commands via Bluetooth from a smartphone app to instantly change its display to show any characters or image.

[…]

Because the vulnerability that allowed him to rewrite the plates’ firmware exists at the hardware level­—in Reviver’s chips themselves—Rodriguez says there’s no way for Reviver to patch the issue with a mere software update. Instead, it would have to replace those chips in each display.

The whole point of a license plate is that it can’t be modified. Why in the world would anyone think that a digital version is a good idea?

Tags: , , ,

Posted on December 17, 2024 at 12:04 PM19 Comments

Comments

Jamie December 17, 2024 12:50 PM

I remember someone trying to do this a couple decades ago, wonder if it is the same people.

Maybe for their next trick, they could try digital physical currency. Why shouldn’t your Dollar become a Euro on demand?

Alan December 17, 2024 1:09 PM

I think it would be great for privacy if your license plate number changed every 24 hours, and only the state could translate the plate number to a specific car and owner.

Matt December 17, 2024 1:45 PM

Color me completely unsurprised that these turned out to be easy to hack.

The one plausible use case I’ve heard for a digital plate is to be able to press a button in the car and have the plate change to flash “call police” if, like, someone carjacks you and forces you to drive somewhere. But there are still a myriad of problems with that idea, and even if there weren’t, it still doesn’t justify this otherwise totally unnecessary and problematic technology.

TexasDex December 17, 2024 1:55 PM

It’s not just ‘this new technology adds obvious and unacceptable security risks’, it’s ‘what does it gain us?’ What new features does a digital license plate enable that couldn’t be done with a screwdriver in five minutes?

Is the eventual goal to have all cars equipped with this from the factory? Is there some kind of privacy-enabling feature that lets people get new plate numbers periodically so that private ALPRs can’t do long-term tracking? (I would be very surprised if that were the intent)

TimH December 17, 2024 2:31 PM

The point of the digital plates is to normalise vehicle tracking through a hardware that has to be fitted to every car, no matter how old, that’s on the road.

Chris December 17, 2024 3:38 PM

Three reasons I can think of.
1. Some people stand to profit from the creation of new digital devices.
2. The Silicon Valley Hype machine relentlessly pushes technological solutions to everything. Now you can have “smart homes” that in reality are “hackable homes”. Most of that we really don’t need.
3. There’s demand for devices that can be used to do illegal things, from spies and criminals.

This is good for a few individuals, but not for society at large.

Bob December 17, 2024 3:57 PM

The problem is that they focused on front-end presentation first. What they should have done is build a blockchain back-end, and then pulled the presentation from the blockchain.

Cornell December 17, 2024 5:05 PM

One purpose of digital plates is that they flash the word STOLEN when stolen. So that’s pretty handy.

But criminals who know of this exploit can just put on their own fake digital plate instead.

So it’s a question of whether this prevents recovery of stolen cars more than the amount of people stealing them and using a digital plate to make it easier.

Jordan Brown December 17, 2024 7:20 PM

Why in the world would anyone thing that a digital version is a good idea?

thing -> think

(And yes, my thought exactly.)

Clive Robinson December 17, 2024 9:14 PM

@ Bruce, All,

With regards,

“The whole point of a license plate is that it can’t be modified. Why in the world would anyone thin[k] that a digital version is a good idea?”

That might be easier to explain than you might think…

First off store “shelf price labels” have gone E-Paper rather than be printed out and stuck on the front of the shelf as they used to be. They are sold as saving time and money (though the jury might be out for quite some time).

If you think about it a “one time price label” is in many ways the same as a “one time licence plate”.

Once you’ve “made the technology” changing it to do what on the surface is the same job is just a tiny change in a business model.

More interestingly it can be sold as “more secure” simply by having a hand unit/scanner that reads the vehicles VIN into the system to associate with the licence plate.

I can think of a whole load of other desirable sales features, including the various ways to reduce costs.

So unless people “understand” and most don’t then fundamental, foundational, failings, will cause the house of cards to fall.

The most fundamental problem of all is it is not possible in an “Off Line System” to,

“Tie an information object to a physical object.”

People keep trying and as we see with National and Similar ID Card systems they keep failing.

As the first Woman to head the UK MI5 Homeland Security Service Stella Rimington made the observation that there actually was no way to prove who you are.

The joke of ID is the “Birth Certificate” from which all else outgrows. Usually through the “Pass Port” or in more backwards places the “Drivers Licence” all of which have no actual tie to an individual as they are basically “Data Base Systems” in which the entries can be changed at the will of those who control it.

Now replace a nearly unique human being with a very far from unique mechanical device. The only measurable difference between then is a serial number –the VIN for a vehicle– applied at the factory.

Can the serial number be changed or falsified, as far as I’m aware as far as physical macro systems the answer is always “Yes” it’s just the difficulty involved.

So the “Licence Plate” is easily changeable and designed to be so, and the VIN number somewhat less so, but as crooks know sufficiently so to pass human sense verification.

It kind of makes things a “moot point” and you can be sure that quite a few officials are all to aware of this.

Do they care?

The answer is “NO” providing two things are true,

1, It’s not to easy to make a change.
2, The fact it can be changed is not widely known.

So the answer about licence plates is,

“It is at best security by obscurity”

Because that is “low cost” and “minimal hassle”.

Even going to a fully “online system” will not change the fact that the backend database can be changed at will by anyone with sufficient authorization held by their “account”.

Which kind of should now tell you that it is a,

“Turtles all the way down”

Problem, thus has no sufficiently reliable solution.

Winter December 17, 2024 9:19 PM

@Jamie

Maybe for their next trick, they could try digital physical currency. Why shouldn’t your Dollar become a Euro on demand?

That is exactly what a credit/debit card does. Where ever I go, my card pays in local currency.

hacking December 17, 2024 11:35 PM

Why in the world would anyone thing that a digital version is a good idea?

If anyone knew, I thought it would be you

Agammamon December 18, 2024 12:39 AM

The sort of people who always want more government control – now they can make your license plate flash messages like ‘tags expired’ in order to help your fellow rats identify who they should call the cops on.

Then there’s the ‘web 3.0’ crowd who think everything should always be online and something something blockchain.

“The one plausible use case I’ve heard for a digital plate is to be able to press a button in the car and have the plate change to flash “call police””

It would make more sense for that button to just . . . call the police.

Clive Robinson December 19, 2024 12:59 AM

@ Agammamon, ALL,

With regards,

“Then there’s the ‘web 3.0’ crowd who think everything should always be online and something something blockchain.”

I was deliberately avoiding a direct mention of Web3 and blockcchain in my above, for the simple reason it tends to pull out a certain type of fanboi.

For fundamental reasons the most obvious three being,

1, It forces an “On Line” mode of behaviour that is at best unreliable where vehicles are concerned.
2, A blockchain even without a “proof of work” is still incredibly resource intensive to run.
3, A blockchain is also incredibly slow thus has a low transactional rate, even when being used in what is mainly a “read only” database systems.

But there is a less obvious problem. When things are resource bound and slow people look for ways around the limitation and that in turn creates other problems.

For those old enough and creaky enough an example was “Data Warehousing with central asymmetric push”. As an idea it’s still used but it causes time windows where inconsistencies can be leveraged such as in financial systems.

Worse is if the loop gets closed in some way… think for instance of an adaptive purchase system based on stock held values. Where the “On Line shop” feeds back sales into the pricing system that in turn effects the central DB that many assumed was isolated but in fact is not. You end up with a feedback loop that is in effect under the control not of the selling organisation but the buyers.

Such feedback loops occurre in all sorts of places where some form of rate control is applied. You get under and over shoot when the load on the system changes. Get the load changes wrong and the control system goes into a form of oscillation. Other issues cause other problems.

Due to the load and constraints blockchain causes the more likely such issues are to be exploitable by those with only minor hostile intent.

Rontea December 19, 2024 1:50 PM

“Why in the world would anyone think that a digital version is a good idea?”

Digital license plates offer several benefits over traditional ones. Firstly, they can display emergency alerts and important messages, enhancing public safety. They also provide better tracking and recovery options for stolen vehicles, as they can be updated remotely. Furthermore, digital plates can help streamline registration processes, providing real-time updates on registration status. They are a step forward in integrating technology into road safety and vehicle management, offering convenience and enhanced features that traditional plates cannot.

ResearcherZero December 20, 2024 3:23 AM

License plates can be modified with a can of spray paint. Not exactly ideal, but the only plate details I could get from a car speeding down the highway was “f**kme” in orange.

Clive Robinson December 22, 2024 3:05 PM

@ Rontea

With regards,

“Digital license plates offer several benefits over traditional ones.”

Unfortunately your list gives none, which is hardly surprising as it sounds as though lifted from a manufacturer sales flip, or by asking some LLM to make the list.

I could go through and debunk every one of them but it would probably get moderated.

However I can give you two points,

1, They create a faux market
2, That will be used to raise income via fines and taxes that are not “flat rate fair”.

This will happen, initially because some political wonk will insist it has to be “budget neutral” or worse “cost saving”.

Both are code phrases for “fines” and similar “user payment”

But in time like “Social Security” or “National Insurance” politicians will see it as an income stream to enrich not just their cronies thus themselves, but also pay for all sorts of unrelated activities. Thus it will get rejiggered in various ways to make the income greater from those at the bottom of the socioeconomic ladder. After all fine them till they can not pay put them in private prisons and the cash register rings.

And no I’m not being cynical this is already happening in other “local taxation” so it’s a well established “cash cow”.

Joseph Kanowitz December 26, 2024 5:40 AM

ב”ה, aside from novelty/vanity text, what has a license plate ever solved that manufacturers painting the VIN on the back of the vehicle wouldn’t?

Anyway, since I bothered, remember registration tags, saving a lookup before automated scanners were everywhere? Must be great to have an “in” at the automated scanner company (may have met folks in the northeast benefiting) but the original idea was to make that less of a pain in the ass, particularly around the time scrape and restick became a thing. So why not just have an e-ink placard on the vehicle that could occasionally be zapped somehow with whatever made it obvious the registration remained valid.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.