The “Internet of Things” (IoT) is a tech industry term that sounds innocuous, but its existence has some serious implications for our security and privacy. IoT devices are ordinary objects or appliances with embedded sensors, computer processors, and communication modules — WiFi-connected cars, smart picture frames, internet-connected thermostats, and so on. These devices offer some conveniences, but they've also become more invasive and prone to security vulnerabilities. You might be concerned about someone hacking your computer or phone, but you probably hadn't thought about someone hacking your smart fridge. A powerful example of this comes from California, where new digital license plates — promoted as an optional upgrade — were legalized by Governor Gavin Newsom in October 2022. A few months after release, California's electronic license plate system has already been hacked, allowing hackers to track GPS location, access the owner's personal info, change text on the plate, and more. They could even flag the vehicle as stolen, which could prompt police to conduct a high-intensity felony stop.

Screenshot via Reviver.com

The Electronic License Plate Hack

Above: Reviver's product page touts “control in the palm of your hand” by using the mobile app to customize your RPlate.

Luckily, the hackers in this case were benevolent “white hats” who had no intention of using this vulnerability to cause chaos. Instead, they immediately reported the vulnerability (likely for a large cash bounty) to Reviver, the company that sells and manages the new RPlate electronic license plates. Reviver reportedly patched the flaw within 24 hours. After an internal investigation, the company claimed that it had never been used maliciously and that no user data had been leaked to the public.

Subscribe Today and Save!

Get the Mag

Above: This privacy promise from Reviver seems rather ironic given the recent cybersecurity revelations.

Even though a cybersecurity disaster was narrowly averted in this case, it's certainly concerning to learn how serious the vulnerability was. Security researcher Sam Curry explained that a Javascript flaw in Reviver's web site allowed his team to switch their account access level from that of a standard user to a “super administrator.” Once they had admin access, they could…

• Access personal information of any electronic plate owner, including vehicles owned, physical address, phone number, and email address
• Remotely track the GPS location of any electronic license plate
• Delete license plates from the system
• Add new license plates to the system
• Replace the dealer logo on temporary tags for new cars
• Change the custom text line at the bottom of the plate
• Update the status of any electronic plate to “STOLEN,” which might potentially lead police to stop the driver at gunpoint

Above: Under normal circumstances, the ability to mark a plate as “STOLEN” instantly might seem beneficial. In this case, it almost became a huge safety issue.

A Growing Cybersecurity Problem

This isn't even close to the only serious vulnerability documented by Sam Curry in his blog post, Web Hackers vs. The Auto Industry. He also showed web backdoors that affected a staggering list of automakers, including Kia, Hyundai, Honda, Toyota, Infiniti, Nissan, Acura, Ford, Mercedes-Benz, BMW, Porsche, and even Ferrari. Many of these included the ability to “remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk” using only the vehicle's publicly-visible VIN number.

Photo via Reviver

In the past, hackers have also demonstrated the ability to remotely turn off vehicles that are already in motion, which could lead to a serious crash.

Auto industry aside, the state of California is no stranger to glaring cybersecurity vulnerabilities. Last summer, the CA Department of Justice confirmed that the personal data of everyone who was granted or denied a concealed-carry weapon permit between 2011 and 2021 had been leaked. This info included “names, date of birth, gender, race, driver's license number, addresses, and criminal history.” This leak affected nearly a quarter-million Californians, including judges and police officers, possibly making these individuals a target for home invasion robberies and other crimes.

Talk is Cheap

In almost every case, the affected companies or governing bodies have been quick to apologize and assure everyone it was an isolated incident. But it's clear that these hacks will continue happening unless those responsible for our data spend the time and money to make cybersecurity a much higher priority.

In the meantime, we encourage you to weigh the pros and cons carefully before adding more IoT smart devices to your home (or garage).

Written by Patrick McCarthy