Hacking Digital License Plates with Fault Injection | Josep Pi Rodríguez 

August 9 | 12:00pm - 1:00pm

ABSTRACT:

IOActive conducted research to assess the security level of the Reviver digital license plate. Reviver’s plate is the only digital plate allowed in the United States and is currently available in some states. This digital license plate, approved by those states’ Department of Motor Vehicles (DMV), allows users to access features such as pre-approved custom messages on the screen and vehicle tracking with the plate’s GPS module. Users can’t change the plate number on the screen – this is a critical security feature of the device.

As security professionals, our minds immediately drift to the possibility of attacking the plate and changing the plate number or using its GPS/LTE capabilities to track vehicles. The only way to answer the question was to try it.

While this device has a better security posture than average, IOActive found that the device is vulnerable to a fault injection that allowed the researcher to first get access to the firmware from the internal flash of the SoC, then gain debugging capabilities over JTAG. After some reverse engineering work, it was possible to determine how some critical areas of the firmware work, and a custom firmware image was created that would allow malicious users to fully control any Reviver DMV-approved plate.

With this new firmware created by IOActive, a malicious user can change the plate screen at will using a mobile app that connects over BLE to the plate. This could be seen as a jailbreak/root where users can do anything with the plate. Malicious users or attackers would not need to exploit the fault injection to install this new custom firmware.

Attackers can also use this issue to force the plate to connect over LTE to the attacker’s command-and-control server and track the vehicle over GPS, as well as to change the screen at will, potentially causing legal issues for the owners.

Finally, we will show the reverse-engineering process for the BLE firmware code, as well as the backend server communications over LTE-CAT1 using Secure Element STSAFE-A110 for the DTLS communications.

Josep Pi Rodríguez, Principal Security Consultant

IOActive Principal Security Consultant Josep Rodríguez has a broad skill set and deep experience in security testing. Over the past decade, Josep has worked with major firms including Deloitte, Telefónica Ingeniería de Seguridad (TIS), and Internet Security Auditors, in addition to IOActive’s roster of high-profile clients. Josep’s passion for security testing extends to his “free time,” in which he has discovered numerous published vulnerabilities. His findings have included discovery of near field communications (NFC) flaws in Tesla vehicles and common point-of-sale terminals.

.    .   

@2024 IOActive inc. All Rights Reserved

Privacy Policy

Terms of Use

Disclosure Policy

SERVICES

Full Stack Security Assessments

Secure Development Lifecycle

Red and Purple Team Services

Advisory Services

RESOURCES

Blogs

Disclosures

Library

IOActive Labs

INDUSTRIES

Critical Infrastructure

Energy

Financial Services

Healthcare

Manufacturing

Media & Entertainment

Retail & Consumer Products

Technology

Telecommunications

Transportation

WHO WE ARE

Team

Philanthropy

Press

Events

CAREERS

Contact Us