Researcher demonstrates how to hack digital license plates, evade tolls

All kinds of mischief is possible with his technique

Serving tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.

A hot potato: Digital license plates, legal in several states and gaining traction nationwide, are vulnerable to manipulation by their owners or other malicious parties, potentially enabling illegal behavior that could undermine traffic enforcement systems, according to IOActive's security researcher Josep Rodriguez, who has uncovered potential vulnerabilities in these high-tech plates.

As digital license plates become more prevalent, with California, Arizona, and Michigan already allowing their use, their security implications are becoming increasingly relevant. "You should assume people will mess with them," security researcher Sam Curry told Wired.

Digital license plates, such as those produced by Reviver, the leading manufacturer in the US, allow drivers to change their plate display remotely, flag stolen vehicles, and even display custom messages. With 65,000 plates already sold, this technology is poised to become increasingly common on American roads.

Rodriguez, though, has discovered a technique to jailbreak these digital plates, allowing users to alter their license plates at will. This vulnerability could have far-reaching consequences for traffic enforcement and surveillance systems that rely on license plate identification.

Rodriguez's method involves physically accessing the plate, removing a sticker, and connecting a cable to internal connectors. Through this process, he can rewrite the plate's firmware, enabling it to receive commands via Bluetooth from a smartphone app. This jailbreak could theoretically allow drivers to evade tolls, parking tickets, and automatic license plate readers used by law enforcement.

"You can put whatever you want on the screen, which users are not supposed to be able to do," Rodriguez told Wired. "Imagine you are going through a speed camera or if you are a criminal and you don't want to get caught."

The implications of this vulnerability extend beyond simple evasion. Rodriguez points out that a jailbroken plate could potentially display the number of another vehicle, potentially framing innocent drivers for violations they didn't commit.

And because this security flaw is rooted within Reviver's chips, the issue cannot be resolved through a simple software update. To effectively address the vulnerability, Reviver would need to replace the affected chips in every digital license plate display they have produced. Consequently, the existing digital license plates are likely to remain susceptible to manipulation for the foreseeable future.

// Related Stories

• Salt Typhoon hack exposed millions, but carriers AT&T and Verizon only notified "high-value" customers
• Driving toward zero: how the DOT plans to use V2X wireless communication to eliminate traffic fatalities

Reviver, when contacted about these findings, emphasized the illegality of such actions and the physical access required to exploit this vulnerability. "This scenario is highly unlikely to occur in real-world conditions, limiting it to individual bad actors knowingly violating laws and product warranties," it said.

Reviver also told Wired it was redesigning its license plates to avoid using chips vulnerable to Rodriguez's hacking technique in the future.

Reviver maintains that hacking its plates would require "specialized tools" or "expertise" – a claim that Rodriguez says is ultimately untrue. Rodriguez's method involved a sophisticated fault-injection process. He physically connected wires to the plate's internal chip and carefully monitored its voltage. It was only by inducing a precise voltage fluctuation at a critical moment that Rodriguez was able to bypass the plate's security measures, allowing him to examine and modify its firmware.

However, Rodriguez then used the gathered information to create a streamlined jailbreaking tool. This new tool significantly simplifies the process, eliminating the need for the intricate technical steps involved in the original method. Rodriguez said he wasn't planning on releasing the tool.

This isn't the first time Reviver's systems have been scrutinized. In 2022, security researcher Sam Curry discovered web-based vulnerabilities that allowed him to gain administrative access to Reviver's backend database. Unlike Rodriguez's hardware-based approach, these issues were quickly patched by Reviver.