With the advent of advanced automotive technology, more car modules are digitized to power cars with more functionality. For example, car audio systems have been transformed to infotainment systems with large screens, and back mirrors have been digitized to include recording features. Similarly, digital license plates have been introduced to replace traditional license plates.
On Jan. 3, 2023, Sam Curry, a web application researcher, published vulnerability writeups on different car brands and components. His sixth writeup detailed a vulnerability on the management system of digital license plates.
In this entry, we focus on this vulnerability since digital license plates are relatively new and represent how security factors in more components in the automotive industry.
What are digital license plates?
Digital license plates use HD displays that are either battery-powered or connected to a car’s electronics systems directly. They can also be controlled through an app and offer added functionalities. Most notably, they allow users to customize and track their license plates.
In the US, digital license plates became legal in California in October 2022, with a few other states following California’s lead. Currently, digital license plates can be used on ordinary vehicles in California, Arizona, and Michigan, while they are limited to commercial fleet vehicles in Texas. This means car owners are now able to customize their license plates, track their vehicles’ locations, and even manage fleets simply by using mobile apps or the internet.
Because this technology is relatively new, Reviver, a California-based vendor, is the sole provider of such services. In line with this, Sam Curry and his team narrowed their focus on Reviver’s mobile app for controlling digital license plates.
What happened during the investigation?
Figure 1. Diagram summarizing what researchers did to achieve full access
The investigation by Sam’s team led to the discovery of a few critical vulnerabilities in Reviver’s plate management systems. These vulnerabilities could lead to malicious location tracking, altered text on plates, vehicles being incorrectly marked as stolen, access to all of Reviver users’ personal information, and access to the management functionalities of any company using the same systems.
The team also discovered that instead of verifying that a user is who they say they are, with their specific set of privileges, Reviver’s management system blindly trusted whatever exists in a user’s cookie and issued commands accordingly. This resulted in the researchers being able to change specific information in the client web browser and issue superuser commands that are normally unavailable.
In short, a hacker can gain full control over the Reviver’s system and obtain any data in their or in Reviver’s database by creating a new account and modifying data stored in a web browser.
Sam Curry and his team have since reported the issue to Reviver, after which it was patched within 24 hours.
Securing new car technology
This technology shows how far-reaching digitization has become in the automotive world and how, as a result, seemingly simple and straightforward components like license plates can bring security risks along with their added functionalities.
One cause for such vulnerabilities is the API-first philosophy in software design that most car makers adopt. While applications developed through this philosophy can be easily modulated, reused, and extended, this approach could also make it more likely for vulnerabilities in these applications to be overlooked. Therefore, although the API-first philosophy makes it easier and faster for manufacturers and suppliers to make products, they should also ensure that they are designing secure APIs.
In order to prevent similar vulnerabilities from slipping through the cracks in other automotive components, manufacturers should always apply API best practices, ensure security by design, and conduct penetration testing to root out potential security flaws.
VicOne also recommends regular software updates and a more comprehensive automotive cybersecurity strategy to better protect today’s connected vehicles from similar vulnerabilities in the future.
As a subsidiary of Trend Micro, VicOne leverages the cybersecurity leader’s over 30 years of industry expertise and offers the following solutions:
- xNexus, an extended detection and response (XDR) platform for vehicle security operations centers (VSOCs), can help build awareness mechanisms and early warning for incoming attacks.
- xCarbon, an intrusion detection and prevention system (IDPS) for electronic control units (ECUs), provides superior detection and protection in vehicles, allowing VSOCs to quickly understand the nature of a potential attack.
- xZETA allows OEMs to scan vendors’ firmware on multiple levels and effectively reduces the attack surface from the beginning.
- xScope is a penetration-testing service that conducts a deep assessment of an entire vehicle to identify vulnerabilities and provide recommendations.
To read more research on other possible vulnerabilities in connected vehicles and learn best security practices, visit our resource center.