Adding an always-connected device to your vehicle can bring some benefits. It also provides a new way for hackers to track you or collect personal information, as first reported by Vice.
A group of cybersecurity researchers recently published a report on several vulnerabilities they discovered in connected cars. Hackers have found ways to accurately locate vehicles from major OEMs, including customer names, phone numbers, email addresses, and loan statuses.
For Reviver's plates, hackers have discovered that they can change the message displayed on the panels and, yes, track cars. The vulnerability has been fixed.
Well, it didn't take long. The California DMV approved new digital license plates from Reviver in October, and now we've learned just how vulnerable they are to third-party hacking attacks. Reviver, the only company to offer digital license plates, notes that they offer some technical advantages over traditional metal plates, such as automatic renewal of the tags and the ability to change what it says for things like stolen if the vehicle it's attached to is stolen. . But there have always been downsides, including the high cost and added complexity.
Last week, as reported by Vice, a group of cybersecurity researchers interested in finding access points to connected vehicles announced that they had discovered vulnerabilities in various brands and services. This included locating and tracking vehicles from multiple brands, including Kia, Honda, Infiniti, Nissan, Acura, Hyundai, and Genesis. According to the published report, they can also find personal details on customers of several brands, including the loan status of Toyota customers.
When it comes to a network of connected vehicles called Spireon that is primarily involved in fleet management applications, the hackers said they have "access to everything." For Reviver, the team was able to access the network without much apparent trouble, as cybersecurity researchers posted details of how they accessed Reviver's back end, which included showing how the app and other online services behaved during a password reset request. People with a greater understanding of lines of code can once they enter the Reviver network, researchers can have "super-full administrative access" to all user and vehicle accounts for all vehicles connected to Reviver. That would have allowed them to track the physical location of these plates, change the plate to say whatever they want, and access all user records, "including which vehicles people owned, their physical address, phone number, and email address."
Officially, Reviver acknowledges that the customer data it collects may be vulnerable to third parties. "We have adopted reasonable and appropriate security measures to help protect against loss, misuse and unauthorized access to the information you provide to us," the company said on its website. Please note, however, that no data transmission or storage can be guaranteed to be 100% secure. As a result, while we strive to protect your information and privacy, we cannot guarantee or guarantee the security of any information you disclose or transmit to the Services.
Reviver responded quickly
Things seem to be resolved now. Cybersecurity researchers said they reported a vulnerability in Reviver, and it was quickly patched. However, had these white-hat hackers not tried to fix the issues, they have the ability to "remotely update, track, or delete anyone's Reviver board." The researchers said they could "also reach out to any dealer (for example, Mercedes-Benz dealerships will fill in Reviver plates) and update the default image used by the dealer when the newly purchased vehicle still has the dealer's tags." They also gained full access to Reviver's fleet management functionality.
In a statement, Reviver told Car and Driver that it met with a member of its cybersecurity research team after being informed of the app's potential vulnerability.
After the meeting, Reviver not only fixed its app in less than 24 hours, but "also took further action to prevent this from happening in the future." Reviver said customer information was not affected. "As part of our commitment to data security and privacy, we also took this opportunity to identify and implement additional safeguards to complement our existing critical protections," the company said. “Cybersecurity is central to our mission to modernize the driving experience and we will continue to work with industry-leading specialists, tools, and systems to build and monitor our secure connected vehicle platforms.”