Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Security

Researchers Track GPS Location of All of California's New Digital License Plates (vice.com) 53

An anonymous reader quotes a report from Motherboard: A team of security researchers managed to gain "super administrative access" into Reviver, the company behind California's new digital license plates which launched last year. That access allowed them to track the physical GPS location of all Reviver customers and change a section of text at the bottom of the license plate designed for personalized messages to whatever they wished, according to a blog post from the researchers. "An actual attacker could remotely update, track, or delete anyone's REVIVER plate," Sam Curry, a bug bounty hunter, wrote in the blog post. Curry wrote that he and a group of friends started finding vulnerabilities across the automotive industry. That included Reviver.

California launched the option to buy digital license plates in October. Reviver is the sole provider of these plates, and says that the plates are legal to drive nationwide, and "legal to purchase in a growing number of states." [...] In the blog post, Curry writes the researchers were interested in Reviver because the license plate's features meant it could be used to track vehicles. After digging around the app and then a Reviver website, the researchers found Reviver assigned different roles to user accounts. Those included "CONSUMER" and "CORPORATE." Eventually, the researchers identified a role called "REVIVER," managed to change their account to it, which in turn granted them access to all sorts of data and capabilities, which included tracking the location of vehicles. "We could take any of the normal API calls (viewing vehicle location, updating vehicle plates, adding new users to accounts) and perform the action using our super administrator account with full authorization," Curry writes. "We could additionally access any dealer (e.g. Mercedes-Benz dealerships will often package REVIVER plates) and update the default image used by the dealer when the newly purchased vehicle still had DEALER tags."
Reviver told Motherboard in a statement that it patched the issues identified by the researchers. "We are proud of our team's quick response, which patched our application in under 24 hours and took further measures to prevent this from occurring in the future. Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report. As part of our commitment to data security and privacy, we also used this opportunity to identify and implement additional safeguards to supplement our existing, significant protections," the statement read.

"Cybersecurity is central to our mission to modernize the driving experience and we will continue to work with industry-leading professionals, tools, and systems to build and monitor our secure platforms for connected vehicles," it added.
This discussion has been archived. No new comments can be posted.

Researchers Track GPS Location of All of California's New Digital License Plates

Comments Filter:
  • Questions... (Score:5, Insightful)

    by thomn8r ( 635504 ) on Monday January 09, 2023 @07:11PM (#63193948)
    * why does a license plate need GPS

    * why has this been farmed out to a private company?

    * what do they actually do with the data (it's a given they're collecting and storing it)?

    • Re: (Score:1, Insightful)

      * why does a license plate need GPS

      So they can track you

      * why has this been farmed out to a private company?

      Why have prisons been farmed out to private companies?

      * what do they actually do with the data (it's a given they're collecting and storing it)?

      A cull of dark skinned human beings. The US is full of white supremacists.

    • Re:Questions... (Score:5, Informative)

      by jacks smirking reven ( 909048 ) on Monday January 09, 2023 @07:40PM (#63194010)

      Let's paint the picture.

      A Silicon Valley tech bor, likely from wealthy parents so is pretty wildly insulated from actual issues says "Hey, what if license plates, but digital?", gets some seed money from his college connections and swindles the already kinda gullible CA government to try out this cool idea with the promise of increased revenue.

      It's the "Juicero of the DMV" and the fact that sentence makes some sense is weird and scary.

      • Re:Questions... (Score:5, Informative)

        by ArmoredDragon ( 3450605 ) on Monday January 09, 2023 @09:36PM (#63194222)

        If you want to see wealthy and insulated from actual issues, look at LA city council. The lowest paid member gets $270k/year, highest paid gets $460k/year. For comparison, the US congress makes $174k/year. It's also one of the highest homelessness rates of any city in the US. Yesterday I was at the beach, and I shit you not it was littered to hell, with the things I saw in the most abundance being face masks and condoms. Today driving home from work I ran over at least three potholes in a one mile span. Such a progressive utopia this city is, tax money well spent.

        • Re:Questions... (Score:5, Insightful)

          by Arethan ( 223197 ) on Monday January 09, 2023 @09:55PM (#63194252) Journal

          Suggestion: Move away.

          The more people that throw their hands up and move out, the less money they'll have to blow on stupid shit that doesn't work.

          Do you _really_ need (or even want) to live in that area? Are you truly happy there?

          I'm really not looking to challenge you personally -- if it's honestly your jam, then by all means stick around. Really just pointing out that tech worker WFH generally means that we get to take our high tax yield incomes to whatever municipality we like. So, maybe pick a nice place that isn't run by shitheads that you disagree with on fundamentals?

          Just something to consider.

          • No, it is not my jam. Circumstances have just placed me here for the moment. I want out of this shit. Progressives, who bitch about CEOs making too much money, really don't care when their elected representatives deprive people like me of the money I earned and put it in their own pockets. And I only make half of what they do.

            • Re: (Score:2, Insightful)

              by drinkypoo ( 153816 )

              Progressives, who bitch about CEOs making too much money, really don't care when their elected representatives deprive people like me of the money I earned and put it in their own pockets.

              Those aren't progressives. Those are neoliberals, which actually (literally!) means fascists.

              • If people in California know this, then why do they keep electing them? The urban areas of this state are 100% run by democrats, and they're by far the most broken.

                • If people in California know this, then why do they keep electing them?

                  Speaking for myself, it's because the alternatives presented have been even worse. My first instinct is to blame the party. They won't support any candidate who isn't a shitheel, and there's so much money involved that it's unrealistic to attempt candidacy without their support. My second instinct is to blame first past the post voting systems. We need ranked choice voting everywhere, for everything. It is far more democratic. First past voting systems create this very situation.

                  • California could do that if they wanted to. How they set up their ballots is entirely up to them. And for almost all intents and purposes, it's a single party system.

                    • California could do that if they wanted to. How they set up their ballots is entirely up to them. And for almost all intents and purposes, it's a single party system.

                      It's that way pretty much everywhere but, recently, Alaska. Somebody has a stranglehold and isn't letting go, and nearly all of them are mostly or wholly corrupt.

    • why does a license plate need GPS

      to catch criminals. Why don't you want to catch criminals?

      * why has this been farmed out to a private company?

      Privatization of government operations is more efficient. Why do you want to waste taxpayers' money?

      * what do they actually do with the data (it's a given they're collecting and storing it)?

      Anything they want. It's a given they will do anything they want.

      • I don't want to catch criminals. I'd rather have a less-than-perfectly-safe society than one where breaking rules is impossible. Color me chaotic-something.
        • by Askmum ( 1038780 )

          I don't want to catch criminals. I'd rather have a less-than-perfectly-safe society than one where breaking rules is impossible. Color me chaotic-something.

          You don't want to catch criminals? So you are in favour of crime? So you are a criminal. What if your child was molested by someone who drove away in a car. Wouldn't you want to track and catch him?

      • by Alumoi ( 1321661 )

        Privatization of government operations is more efficient. Why do you want to waste taxpayers' money?

        Wait, what? Do you mean the government is paying those private company with something other than taxpayer's money?

    • What does Reviver web site say ?

      Who is the CEO and CTO of Reviver ??

      What connection do they have with the State of California ??

      What is the annual salary of these people ?

    • * why does a license plate need GPS? * why has this been farmed out to a private company?"

      Why do you think that if it were run by "the government" that the location data would be less misused or vulnerable? (Hint- it probably wouldn't).

      • by nyet ( 19118 )

        Expect insurance companies to give you a discount ... though in some states that might be illegal.

    • by Spamalope ( 91802 ) on Monday January 09, 2023 @08:09PM (#63194058)
      With GPS they can make every road a toll road, charge a 'congestion tax' on any road, make a 'surge toll', give automatic speeding tickets, charge per mile driven in state... so many U$E$ of this tech! That's before you get to tracking attendance at political events so wrongthinkers can be outed to employers for canceling (termination just for twitter follows is old and busted), reported to taxing authorities for audits (not just for donations anymore!) etc.
      It's a brave new world, isn't it!?!?
      • by Weirsbaski ( 585954 ) on Monday January 09, 2023 @08:56PM (#63194142)

        With GPS they can make every road a toll road, charge a 'congestion tax' on any road, make a 'surge toll', give automatic speeding tickets, charge per mile driven in state... so many U$E$ of this tech! That's before you get to tracking attendance at political events so wrongthinkers can be outed to employers for canceling (termination just for twitter follows is old and busted), reported to taxing authorities for audits (not just for donations anymore!) etc.

        They could already do all this with license-plate readers on traffic-cams. Difference is using radio signals makes it harder to f*ck with that system.

        Back of your car is dirty so the plate is hard to read? Camera is blocked, radio signals are not. Car has an almost-license-plate-looking bumper sticker? Camera might be fooled, radio receiver won't. And traffic-cameras look like cameras and work straight-line-of-sight, while radio transmitters can look like anything and cover all vehicles within X distance.

    • Questions 1 and 3 seem self explanatory when you realize the answer to #2 is "scapegoat" and/or "deniability".

      A better question is why would anyone willingly sign up for this?

    • Re:Questions... (Score:4, Informative)

      by CaptQuark ( 2706165 ) on Tuesday January 10, 2023 @02:22AM (#63194518)

      Actually, if they are tracking individual users, they are breaking the law. The amended law specifically states they can't track individual vehicles unless they are commercial or fleet vehicles, and they must display a notice that they are being tracked. I don't know why the GPS data would be in Reviver's database.

      SECTION 1.Section 4463 of the Vehicle Code is amended to read:

      (2)(A)Except as specifically authorized in subparagraph (B), an alternate device shall not include vehicle location technology. The department shall, by no later than January 1, 2024, in a manner determined by the department, recall any devices with vehicle location technology that have been issued pursuant to Section 4853, to vehicles other than those described in subparagraph (B). The department may adopt regulations to carry out this requirement.
      (B)Vehicle location technology may be offered for vehicles registered as fleet vehicles, pursuant to Article 9.5 (commencing with Section 5301), commercial vehicles, as defined in Section 260, and those operating under an occupational license, pursuant to Division 5 (commencing with Section 11100).
      (C)The vehicle location technology, if any, shall be capable of being disabled by the user.
      (D)The vehicle location technology, if any, may be capable of being manually disabled by a driver of the vehicle while that driver is in the vehicle.
      (3)If the device is equipped with vehicle location technology, an alternative device shall display a visual indication that vehicle location technology is in active use.

      *emphasis added https://leginfo.legislature.ca... [ca.gov]

  • by supertrooper ( 2073218 ) on Monday January 09, 2023 @07:11PM (#63193952)
    What is wrong with a regular license plate?
    • by SoCalChris ( 573049 ) on Monday January 09, 2023 @07:22PM (#63193974) Journal

      These cost extra, have a monthly fee, really aren't all that customizable, and as we see they're vulnerable.

      I fully expected to start seeing these on high-end cars, but over the last few months I've been seeing them more and more on lower and mid level cars. Which makes it really easy to spot the people who aren't very bright.

    • It is worse than that, normal license plates are by nature hard to change, while the so called advantage of these digital versions is the ease of changing the numbers.

      This is a prime case where the company selling the product gets 100% of the benefit of the new version while the customer gets a worse product that marketers convince them is somehow 'better'.

      Even without the hacking this thing has multiple issues. Far easier to physically alter them by switching out a chip rather than having a metal smith /

      • by thomn8r ( 635504 )

        It is worse than that, normal license plates are by nature hard to change, while the so called advantage of these digital versions is the ease of changing the numbers.

        How often does one need to change their license plate, and how mechanically inept do you have to be to consider it hard to do? The only times I've had to change a license plate is when I switched to a personalized or year-of-manufacture plate.

    • Re: (Score:1, Offtopic)

      by Tablizer ( 95088 )

      What is wrong with a regular license plate?

      They are not buzzword-compliant. [reddit.com] (note: fake xkcd; stick figures are prior art by at least 50k years.)

    • >"What is wrong with a regular license plate?"

      They aren't "kewl"

      And, you know, "kewl" is far more important than security, reliability, privacy, cost, etc...

    • by khchung ( 462899 )

      What is wrong with a regular license plate?

      They didn't generate enough profits for private companies.

    • What is wrong with a regular license plate?

      Nothing is wrong with regular license plates. If you are looking for a reason for this product then look no further than this: Fools have money and are willing to trade it for the latest gadget.

  • by markdavis ( 642305 ) on Monday January 09, 2023 @07:48PM (#63194024)

    >"Reviver told Motherboard in a statement that it patched the issues identified by the researchers"

    And how do you "patch" it so that nobody can monitor your position, including Reviver?

    Why anyone would put such a device on their vehicle is baffling.

  • Hello, no access lists, session enforcement or just plain checking a cookie token? Security was not even part of the design!
  • We learned that almost nothing is non-partizan.
  • by EzInKy ( 115248 ) on Monday January 09, 2023 @08:57PM (#63194146)

    The purpose of GPS is to track and locate things. What else would it be used for?

  • So what if they fixed their issues. License plates that track you ... no ... fucking ... thanks!
  • Here is an example of a public-private partnership that simply shouldn't exist. There's too much power in the hands of a corporate exec tied up in public info. I know there are other examples but at some point plates will have some kind of this basic functionality. I'd rather some lower-payed DMV worker have access than some money-grubbing a-hole with some conceptual axe to grind. We all know us low-payed works might pull pranks but we don't think we're all-important beings like most CEOs.

  • I am sure they closed the access off further, and I am also sure they did not remove those capabilities from their system.

Interchangeable parts won't.

Working...