Now Even License Plates Can Be Hacked
The generation of children who grew up entranced by Dr. Seuss’s 1990 bestseller “Oh, the Places You’ll Go!” are now adults who are definitely going places – with every move tracked and recorded in multiple ways.
In the 2018 Carpenter case, the U.S. Supreme Court held that Americans have a reasonable expectation of privacy with respect to their historical location data. This expectation, the Court reasoned, requires a probable cause warrant under the Fourth Amendment before someone’s location history can be inspected by law enforcement. That sounds like a definitive ruling, but it wasn’t.
Law enforcement agencies expand legal loopholes and use legal tricks to get around this narrow opinion. For example, last year the Virginia Mercury news organization found that 18 police departments around the state accessed more than 7,000-days-worth of surveillance, often in pursuit of minor criminal cases. How did the police get around the Carpenter rule? By creating their very own assembly line for warrants. In another example, stingrays – cell-site simulators that mimic cell towers – are still used by at least 14 federal agencies and 75 state agencies to locate people. And, of course, our cars have become digital devices with GPS features that record our trips.
Now it has been revealed by security researchers that they can track one’s location by hacking digital license plates in California. These are special plates that Golden State residents can sport for a monthly fee, giving them a battery- or wire-powered plate that can digitally update the bottom line of their license plate to display changing messages (such as celebrating a recent bowl win by the customer’s football team). They also text owners if a car has been removed without permission, sending a “stolen” alert.
Vice’s Motherboard reports that security researchers gained administrative access to the sole provider of these plates, Reviver. Through this access, the researchers tracked vehicles and their movements by GPS. They could also change the digital slogans at the bottom. On the more benign end, imagine switching someone’s “Go Cal!” license plate to “Go Stanford!” Far more maliciously, the researchers surmised that an actual attacker could also delete a customer’s Reviver plate. Somewhat concerning is the researchers’ discovery that granting themselves superuser access gave them the ability to track vehicles – which begs the question of why the company manufacturing these license plates felt the need to give themselves this ability to begin with.
Reviver told Vice that it had quickly patched the system. The security of digital license plates is a concern for the minority of drivers who’ve purchased this technology and can afford its monthly fee. The larger issue is that as the Internet of Things unfolds, we’re going to be tracked eight ways to Sunday that the law allows.
When more cases about permutations of location tracking next appear before the Supreme Court – and the narrowness of Carpenter ensures that it will – the Justices should take that as an opportunity to issue a more comprehensive ban on warrantless tracking.
Comments are closed.