Researchers Track GPS Location of All of California's New Digital License Plates (vice.com) 53
An anonymous reader quotes a report from Motherboard: A team of security researchers managed to gain "super administrative access" into Reviver, the company behind California's new digital license plates which launched last year. That access allowed them to track the physical GPS location of all Reviver customers and change a section of text at the bottom of the license plate designed for personalized messages to whatever they wished, according to a blog post from the researchers. "An actual attacker could remotely update, track, or delete anyone's REVIVER plate," Sam Curry, a bug bounty hunter, wrote in the blog post. Curry wrote that he and a group of friends started finding vulnerabilities across the automotive industry. That included Reviver.
California launched the option to buy digital license plates in October. Reviver is the sole provider of these plates, and says that the plates are legal to drive nationwide, and "legal to purchase in a growing number of states." [...] In the blog post, Curry writes the researchers were interested in Reviver because the license plate's features meant it could be used to track vehicles. After digging around the app and then a Reviver website, the researchers found Reviver assigned different roles to user accounts. Those included "CONSUMER" and "CORPORATE." Eventually, the researchers identified a role called "REVIVER," managed to change their account to it, which in turn granted them access to all sorts of data and capabilities, which included tracking the location of vehicles. "We could take any of the normal API calls (viewing vehicle location, updating vehicle plates, adding new users to accounts) and perform the action using our super administrator account with full authorization," Curry writes. "We could additionally access any dealer (e.g. Mercedes-Benz dealerships will often package REVIVER plates) and update the default image used by the dealer when the newly purchased vehicle still had DEALER tags." Reviver told Motherboard in a statement that it patched the issues identified by the researchers. "We are proud of our team's quick response, which patched our application in under 24 hours and took further measures to prevent this from occurring in the future. Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report. As part of our commitment to data security and privacy, we also used this opportunity to identify and implement additional safeguards to supplement our existing, significant protections," the statement read.
"Cybersecurity is central to our mission to modernize the driving experience and we will continue to work with industry-leading professionals, tools, and systems to build and monitor our secure platforms for connected vehicles," it added.
California launched the option to buy digital license plates in October. Reviver is the sole provider of these plates, and says that the plates are legal to drive nationwide, and "legal to purchase in a growing number of states." [...] In the blog post, Curry writes the researchers were interested in Reviver because the license plate's features meant it could be used to track vehicles. After digging around the app and then a Reviver website, the researchers found Reviver assigned different roles to user accounts. Those included "CONSUMER" and "CORPORATE." Eventually, the researchers identified a role called "REVIVER," managed to change their account to it, which in turn granted them access to all sorts of data and capabilities, which included tracking the location of vehicles. "We could take any of the normal API calls (viewing vehicle location, updating vehicle plates, adding new users to accounts) and perform the action using our super administrator account with full authorization," Curry writes. "We could additionally access any dealer (e.g. Mercedes-Benz dealerships will often package REVIVER plates) and update the default image used by the dealer when the newly purchased vehicle still had DEALER tags." Reviver told Motherboard in a statement that it patched the issues identified by the researchers. "We are proud of our team's quick response, which patched our application in under 24 hours and took further measures to prevent this from occurring in the future. Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report. As part of our commitment to data security and privacy, we also used this opportunity to identify and implement additional safeguards to supplement our existing, significant protections," the statement read.
"Cybersecurity is central to our mission to modernize the driving experience and we will continue to work with industry-leading professionals, tools, and systems to build and monitor our secure platforms for connected vehicles," it added.
Questions... (Score:5, Insightful)
* why has this been farmed out to a private company?
* what do they actually do with the data (it's a given they're collecting and storing it)?
Re: (Score:1, Insightful)
* why does a license plate need GPS
So they can track you
* why has this been farmed out to a private company?
Why have prisons been farmed out to private companies?
* what do they actually do with the data (it's a given they're collecting and storing it)?
A cull of dark skinned human beings. The US is full of white supremacists.
Re:Questions... (Score:5, Informative)
The Biden administration has banned any new private prisons and has taken steps to begin shuttering existing ones.
Re:Questions... (Score:4, Insightful)
Re: (Score:2)
Most states don't use or allow private prisons.
Re:Questions... (Score:5, Interesting)
The Biden administration has banned any new private prisons and has taken steps to begin shuttering existing ones.
Biden has moved to ban federal private prisons. This does not affect state private prisons which are a major problem. Fortunately, more and more states are moving to phase them out too. Unfortunately, the worse offenders of state private prisons are not on that list.
Re: (Score:1)
Re:Questions... (Score:5, Informative)
Let's paint the picture.
A Silicon Valley tech bor, likely from wealthy parents so is pretty wildly insulated from actual issues says "Hey, what if license plates, but digital?", gets some seed money from his college connections and swindles the already kinda gullible CA government to try out this cool idea with the promise of increased revenue.
It's the "Juicero of the DMV" and the fact that sentence makes some sense is weird and scary.
Re:Questions... (Score:5, Informative)
If you want to see wealthy and insulated from actual issues, look at LA city council. The lowest paid member gets $270k/year, highest paid gets $460k/year. For comparison, the US congress makes $174k/year. It's also one of the highest homelessness rates of any city in the US. Yesterday I was at the beach, and I shit you not it was littered to hell, with the things I saw in the most abundance being face masks and condoms. Today driving home from work I ran over at least three potholes in a one mile span. Such a progressive utopia this city is, tax money well spent.
Re:Questions... (Score:5, Insightful)
Suggestion: Move away.
The more people that throw their hands up and move out, the less money they'll have to blow on stupid shit that doesn't work.
Do you _really_ need (or even want) to live in that area? Are you truly happy there?
I'm really not looking to challenge you personally -- if it's honestly your jam, then by all means stick around. Really just pointing out that tech worker WFH generally means that we get to take our high tax yield incomes to whatever municipality we like. So, maybe pick a nice place that isn't run by shitheads that you disagree with on fundamentals?
Just something to consider.
Re: Questions... (Score:2)
No, it is not my jam. Circumstances have just placed me here for the moment. I want out of this shit. Progressives, who bitch about CEOs making too much money, really don't care when their elected representatives deprive people like me of the money I earned and put it in their own pockets. And I only make half of what they do.
Re: (Score:2, Insightful)
Progressives, who bitch about CEOs making too much money, really don't care when their elected representatives deprive people like me of the money I earned and put it in their own pockets.
Those aren't progressives. Those are neoliberals, which actually (literally!) means fascists.
Re: Questions... (Score:2)
If people in California know this, then why do they keep electing them? The urban areas of this state are 100% run by democrats, and they're by far the most broken.
Re: (Score:2)
If people in California know this, then why do they keep electing them?
Speaking for myself, it's because the alternatives presented have been even worse. My first instinct is to blame the party. They won't support any candidate who isn't a shitheel, and there's so much money involved that it's unrealistic to attempt candidacy without their support. My second instinct is to blame first past the post voting systems. We need ranked choice voting everywhere, for everything. It is far more democratic. First past voting systems create this very situation.
Re: Questions... (Score:2)
California could do that if they wanted to. How they set up their ballots is entirely up to them. And for almost all intents and purposes, it's a single party system.
Re: (Score:2)
California could do that if they wanted to. How they set up their ballots is entirely up to them. And for almost all intents and purposes, it's a single party system.
It's that way pretty much everywhere but, recently, Alaska. Somebody has a stranglehold and isn't letting go, and nearly all of them are mostly or wholly corrupt.
Re: Questions... (Score:2)
Which is what I really don't understand. Why are the public utilities in such bad disrepair? Why is homelessness such a big problem? They have tons of money, so what the hell are they doing with it, aside from lining their own pockets?
Re: Questions... (Score:2, Troll)
why does a license plate need GPS
to catch criminals. Why don't you want to catch criminals?
* why has this been farmed out to a private company?
Privatization of government operations is more efficient. Why do you want to waste taxpayers' money?
* what do they actually do with the data (it's a given they're collecting and storing it)?
Anything they want. It's a given they will do anything they want.
Re: (Score:2)
Re: (Score:2)
I don't want to catch criminals. I'd rather have a less-than-perfectly-safe society than one where breaking rules is impossible. Color me chaotic-something.
You don't want to catch criminals? So you are in favour of crime? So you are a criminal. What if your child was molested by someone who drove away in a car. Wouldn't you want to track and catch him?
Re: (Score:2)
Re: (Score:3)
Privatization of government operations is more efficient. Why do you want to waste taxpayers' money?
Wait, what? Do you mean the government is paying those private company with something other than taxpayer's money?
Re: (Score:2)
What does Reviver web site say ?
Who is the CEO and CTO of Reviver ??
What connection do they have with the State of California ??
What is the annual salary of these people ?
Re: (Score:3)
* why does a license plate need GPS? * why has this been farmed out to a private company?"
Why do you think that if it were run by "the government" that the location data would be less misused or vulnerable? (Hint- it probably wouldn't).
Re: (Score:2)
Expect insurance companies to give you a discount ... though in some states that might be illegal.
Every road is a toll road (Score:5, Insightful)
It's a brave new world, isn't it!?!?
Re:Every road is a toll road (Score:4)
They could already do all this with license-plate readers on traffic-cams. Difference is using radio signals makes it harder to f*ck with that system.
Back of your car is dirty so the plate is hard to read? Camera is blocked, radio signals are not. Car has an almost-license-plate-looking bumper sticker? Camera might be fooled, radio receiver won't. And traffic-cameras look like cameras and work straight-line-of-sight, while radio transmitters can look like anything and cover all vehicles within X distance.
Re: (Score:1)
Questions 1 and 3 seem self explanatory when you realize the answer to #2 is "scapegoat" and/or "deniability".
A better question is why would anyone willingly sign up for this?
Re:Questions... (Score:4, Informative)
Actually, if they are tracking individual users, they are breaking the law. The amended law specifically states they can't track individual vehicles unless they are commercial or fleet vehicles, and they must display a notice that they are being tracked. I don't know why the GPS data would be in Reviver's database.
SECTION 1.Section 4463 of the Vehicle Code is amended to read:
(2)(A)Except as specifically authorized in subparagraph (B), an alternate device shall not include vehicle location technology. The department shall, by no later than January 1, 2024, in a manner determined by the department, recall any devices with vehicle location technology that have been issued pursuant to Section 4853, to vehicles other than those described in subparagraph (B). The department may adopt regulations to carry out this requirement.
(B)Vehicle location technology may be offered for vehicles registered as fleet vehicles, pursuant to Article 9.5 (commencing with Section 5301), commercial vehicles, as defined in Section 260, and those operating under an occupational license, pursuant to Division 5 (commencing with Section 11100).
(C)The vehicle location technology, if any, shall be capable of being disabled by the user.
(D)The vehicle location technology, if any, may be capable of being manually disabled by a driver of the vehicle while that driver is in the vehicle.
(3)If the device is equipped with vehicle location technology, an alternative device shall display a visual indication that vehicle location technology is in active use.
*emphasis added https://leginfo.legislature.ca... [ca.gov]
Solution for a problem that never existed (Score:5, Insightful)
Re:Solution for a problem that never existed (Score:5, Interesting)
These cost extra, have a monthly fee, really aren't all that customizable, and as we see they're vulnerable.
I fully expected to start seeing these on high-end cars, but over the last few months I've been seeing them more and more on lower and mid level cars. Which makes it really easy to spot the people who aren't very bright.
Re: (Score:1)
Re: (Score:2, Interesting)
Texans certainly don't WANT them to move there. Move to some other liberal shit hole that's already ruined with government overreach and crime.
Re: (Score:3)
It is worse than that, normal license plates are by nature hard to change, while the so called advantage of these digital versions is the ease of changing the numbers.
This is a prime case where the company selling the product gets 100% of the benefit of the new version while the customer gets a worse product that marketers convince them is somehow 'better'.
Even without the hacking this thing has multiple issues. Far easier to physically alter them by switching out a chip rather than having a metal smith /
Re: (Score:2)
It is worse than that, normal license plates are by nature hard to change, while the so called advantage of these digital versions is the ease of changing the numbers.
How often does one need to change their license plate, and how mechanically inept do you have to be to consider it hard to do? The only times I've had to change a license plate is when I switched to a personalized or year-of-manufacture plate.
Re: (Score:1, Offtopic)
They are not buzzword-compliant. [reddit.com] (note: fake xkcd; stick figures are prior art by at least 50k years.)
Re: (Score:2)
>"What is wrong with a regular license plate?"
They aren't "kewl"
And, you know, "kewl" is far more important than security, reliability, privacy, cost, etc...
Re: (Score:2)
What is wrong with a regular license plate?
They didn't generate enough profits for private companies.
Re: (Score:1)
What is wrong with a regular license plate?
Nothing is wrong with regular license plates. If you are looking for a reason for this product then look no further than this: Fools have money and are willing to trade it for the latest gadget.
Patch THIS (Score:3)
>"Reviver told Motherboard in a statement that it patched the issues identified by the researchers"
And how do you "patch" it so that nobody can monitor your position, including Reviver?
Why anyone would put such a device on their vehicle is baffling.
Re: Patch THIS (Score:1)
Security will be in 2.0 (Score:2)
Which Non-Partizan Body Should Hold Info (Score:2)
Nothing to see here (Score:3)
The purpose of GPS is to track and locate things. What else would it be used for?
Screw that! (Score:2)
Unneeded public-private partnership (Score:2)
Here is an example of a public-private partnership that simply shouldn't exist. There's too much power in the hands of a corporate exec tied up in public info. I know there are other examples but at some point plates will have some kind of this basic functionality. I'd rather some lower-payed DMV worker have access than some money-grubbing a-hole with some conceptual axe to grind. We all know us low-payed works might pull pranks but we don't think we're all-important beings like most CEOs.
They patched the door (Score:2)
I am sure they closed the access off further, and I am also sure they did not remove those capabilities from their system.