Researchers Uncover Hacking Vulnerabilities in Arizona’s Digital License Plates

Security researchers have identified a critical vulnerability in Arizona’s digital license plates, enabling unauthorized modifications to license plate numbers. Reported by Wired, investigators from IOActive successfully jailbroke a digital plate, permitting the display of any image or text. Jailbreaking, the process of bypassing device restrictions, is typically associated with unauthorized software installations.

The digital plates, produced by Reviver, the foremost manufacturer in the U.S., were compromised by researcher Josep Rodriguez. He accessed the plate’s firmware by removing a sticker and connecting a cable. Using Bluetooth commands, Rodriguez modified the plate’s display as desired.

This vulnerability raises serious concerns, as it could allow individuals to evade tolls or traffic citations by altering their license plate. Moreover, malicious actors could hack a driver’s plate, displaying images that implicate them in illegal activities, such as resembling a stolen vehicle’s registration.

Reviver has advocated for digital plates as a tool for crime prevention, enabling users to signal when their vehicle is stolen via their smartphones. In response to the Wired article, Reviver claimed it presented a “sensational and misleading narrative” while emphasizing their commitment to collaborating with partners.

Reviver acknowledged the potential for skilled users to jailbreak devices but insisted that modifications on their digital plates are far more challenging than standard metal plates. They believe that any such activity is illegal and maintain that customers would be notified if their plate was tampered with. The company criticized the likelihood of such scenarios occurring in practice.

As of December 31, 2024, the Arizona Department of Transportation had issued only 1,634 digital plates amidst over 8 million registered vehicles in the state. Bill Lamoreaux, spokesperson for ADOT, confirmed that the department is in discussions with Reviver on this issue and is monitoring the redesign process for the plates.

The Arizona Department of Public Safety declined to provide specifics but referred inquiries to ADOT, which has not reported any incidents of hacked digital plates. Concerns about Reviver’s security have surfaced previously; in 2022, researcher Sam Curry exposed a vulnerability in Reviver’s website, granting him unauthorized access to backend databases, which Reviver later patched.

Rodriguez has contested Reviver’s claim that only highly skilled individuals could jailbreak their plates. He noted that consumers may easily obtain pre-jailbroken plates online, similar to other modified electronics. IOActive has expressed frustration over Reviver’s disregard for their reports about the exploit over the past year, stating a lack of response until Wired made inquiries.