Digital License Plates in Arizona Expose Major Hacking Vulnerability, Researchers Warn

Security researchers have identified a significant vulnerability in Arizona’s digital license plates, enabling potential hackers to alter the displayed license plate numbers. The discovery, reported by Wired, stems from the efforts of IOActive researchers who successfully jailbroke these innovative license plates manufactured by Reviver, a leading provider in the U.S.

Josep Rodriguez, a security expert at IOActive, demonstrated the exploit by removing a sticker from the back of the digital plate, connecting a cable to change its firmware, and then using Bluetooth commands to display any message he desired. This manipulation raises serious concerns regarding the risk of evading tolls or speeding tickets, and could allow unauthorized users to impersonate legitimate vehicles, even displaying images associated with stolen cars.

Reviver has framed the narrative as misleading, asserting that the Wired article lacks critical details and emphasizing that they are collaborating with pertinent partners. “Unfortunately, efforts to manipulate license plates are not new,” the company stated, highlighting that tampering with traditional metal plates is easier than hacking their digital versions, which have multiple security layers.

While Reviver acknowledged that skilled individuals could hack any electronic device, they insisted such actions are illegal and claimed that customers would be alerted if their digital plate were tampered with, dismissing IOActive’s findings as unlikely in practical scenarios. The Arizona Department of Transportation (ADOT) has issued 1,634 digital license plates as of December 31, 2024, whilst the state has a vast total of over 8 million registered vehicles.

ADOT spokesperson Bill Lamoreaux noted that the agency is in discussions with Reviver regarding the exploit and will closely monitor future plate redesigns. He encouraged anyone aware of fraudulent activity related to their vehicle to utilize the ADOT Fraud Hotline. In this context, the Arizona Department of Public Safety referred questions to ADOT but did not specify incidents of hacking involving digital plates.

This isn’t the first incident involving security vulnerabilities linked to Reviver. In 2022, another researcher, Sam Curry, discovered a flaw on Reviver’s website that granted him unauthorized access to its backend database, allowing him to track and alter license plates before the company addressed the issue. Rodriguez has contested Reviver’s claims, asserting that drivers could potentially purchase pre-jailbroken plates online, mirroring trends seen in other electronics. Despite attempts to notify Reviver of these vulnerabilities over the past year, it wasn’t until the Wired inquiry that the company responded.