Hackers can crack digital license plates to get others to pay their tolls and tickets

Digital license plates now legal for purchase in an increasing number of countries and for cross-country driving, offer several advantages over their sheet metal predecessors. You can change their display on the fly to frame your license plate number with news messages, for example, or to indicate that your car has been stolen. Now a security researcher has shown how they can also be hacked to enable a less benign feature: changing a car’s number plate at will to avoid traffic fines and tolls – or even hang them on someone else.

Josep Rodríguez, a researcher at security firm IOActive, revealed a technique to “jailbreak” digital license plates sold by Reviver, the leading provider of those numbers in the US. By removing a sticker on the back of the board and connecting a cable to the internal connectors, he can rewrite the Reviver board’s firmware in minutes. Then, with custom firmware installed, the dashed license plate can receive commands via Bluetooth from a smartphone app to instantly change its display to show any characters or images.

This jailbreak sensitivity, Rodriguez points out, could allow drivers with license plates to evade any system that depends on license plate numbers for enforcement or monitoring, from speeding charges and parking fines to automatic number plate readers which police use to track suspected criminals. “You can put whatever you want on the screen, which users shouldn’t be able to do,” Rodriguez says. “Imagine going through a speed camera or if you’re a criminal and you don’t want to get caught.”

Even worse, Rodriguez points out, a broken license plate can be changed not only to an arbitrary number, but also to the number of another vehicle – the driver of which will then receive the malicious user’s tickets and toll bills. “If you can change the license plate whenever you want, you can create some real problems,” Rodriguez says.

All traffic-related mishaps aside, Rodriguez also notes that jailbreaking the plates can also allow drivers to use the plates’ features, including built-in GPS tracking, without paying Reviver’s $29.99 monthly subscription fee.

Because the vulnerability that allowed him to rewrite the plates’ firmware exists at the hardware level—within Reviver’s chips themselves—Rodriguez says there’s no way for Reviver to fix the problem with just a software update. Instead, you will need to replace these chips in each display. That means it’s very likely the company’s license plates will remain vulnerable despite Rodriguez’s warning — a fact Rodriguez says transportation policymakers and law enforcement need to be aware of as digital license plates roll out across the country. “It’s a big problem because now you have thousands of license plates with this problem and you’re going to have to replace the hardware to fix it,” he says.