A year or so ago, whilst in a hotel bar, I had a beer or three with a work colleague and mentioned to him that I’d seen an advert for e-paper displays for the Raspberry-pi, and that I thought it would be cool to build an electronic car registration plate if they made them the right size.
Now, remember – we had had a beer or five, so the only use for this we could see was to be able to change your plate to avoid speeding fines, etc.
Legalities aside it would be cool anyway right?
When you’ve had a beer or seven, you do come up with some great ideas. In my early 20’s I came up with the idea for Kebab-cabs. Buy a bunch of old London Black Cabs and use the empty space next to the driver to install a kebab-dispensing machine for inebriated passengers who wanted both a nourishing post-club meal and a ride home all in one…
After a beer or nine I also had the idea for a “special” PIN on your ATM card which allowed you to withdraw a one-off-per-day £15 max if you forgot your usual PIN so that you could use the cash for either a taxi or more beer by typing in “taxi” (8294) or “beer” (2337) on the keypad. The amount would show on your statement as such as a reminder of your drunken moments.
Ahhh those were the days!
Anyway, back to the point of this blog…
Plates for the 21st century
Fast forward in time to 2021 and enter Reviver, the US company who now sell digital licence plates, who have recently been successful in having their devices approved by the courts of California for use on road-going vehicles.
Reviver offer two services – RPlate for individuals, and RFleet for companies.
Now in the U.S. I can actually see a use for digital plates. In America, they have a different approach to vehicle licencing to the UK – for example, in the U.S., the plate is registered to the individual, not the car and typically stays with the owner if they sell the vehicle on.
In most states, it is a requirement to have the licence plate re-issued every couple of years which will include not only the plate tag, but also the validity period, so new plates have to be made up.
Additionally there are fewer restrictions on “vanity plates” for vehicles than in the UK. Almost anything goes, including slogans.
It’s also quite common in the U.S. for plates to be swapped around quite frequently. So a digital plate makes sense when compared to how we have to have plates specially manufactured here in the UK.
Reviver have brought licence plates into the 21st century with features such as personalisation capabilities, security tracking, and the ability to use a smartphone app to quickly register the plate with the DMV instead of waiting in long queues to get this done.
We regularly see the dreaded DMV being parodied in TV shows and films as being soulless, totalitarian places with spiteful, often incompetent staff so anything that allows a person to avoid this must be welcome I presume? So I can see this working in the States.
For fleet users, Reviver offer the same options as those for individuals, but also offer the ability to register an entire fleet of vehicles with consecutive IDs, obtain real-time telemetry of the fleet movements, and theft alerts which automatically trigger the licence plate to read STOLEN – a pretty obvious sign to any law enforcement officer to stop the vehicle.
Hacking Reviver
It was the real-time tracking ability of Reviver licence plates which caught the attention of security researcher Sam Curry.
During the course of his research, Sam and his colleagues found that when registering an account with the Reviver app, they were assigned a unique, editable JSON object that, among other things, allowed the account owner to add sub-users to the account. This JSON object was titled “company” and was not a flaw, it was designed to work this way so that Reviver users could add other members, or other fleet users to the system.
What they also discovered was that within the object were definitions for various roles, such as consumer, and dealer.
With a bit of exploring various other functions of the Reviver system, they hit on the password reset functionality of the website. This gave the user a whole host of abilities, such as vehicle administration, user account management, and more.
Examining the website source code, they identified a JavaScript file which identified other roles, including one called Reviver, which when they tried to use, broke the websites user interface, indicating to them that it was most likely some sort of administrator account that is never intended to have a password reset conducted in this way.
By manipulating the API for the Reviver app, they managed to use the Reviver role to gain full authorisation to the system, allowing the team to perfom any action including tracking fleet vehicles, changing plate displays, and add new users to the system with elevated permissions.
Sam went on to say that their discoveries could allow a malicious actor the ability to track any vehicle fitted with a Reviver licence plate.
After disclosing their findings to Reviver, the flaws were fixed within 24 hours and no longer allow malicious access to occur.
Modern tech is great
Whilst I am 100% an advocate for improving life with modern technology, we must ALWAYS consider the security implications before putting things to market, because if we don’t, others will quickly find the flaws.
Personally though – I still think nothing beats the manual approach to licence plate swaps…