cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Digital license plates

According to reports, Sacramento, California, will test out "digital" license plates.  The trial appears to be limited to 24 plates.

The plates are digital displays that can be updated and modified remotely.  Therefore, they can be updated immediately once car registration is updated.  They can also be used to "broadcast" messages such as emergency and amber alerts, and can be set to display personal messages when the car is not in motion.

The plates also broadcast information to sensors in or beside roads, and can communicate with each other.

I trust it is not too difficult to point out the huge numbers of ways these plates could be attacked or misused.

 

(Here's another article, with a bit more analysis, from Sophos.)


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
9 Replies
HTCPCP-TEA
Contributor I

First order of business for criminals would be changing the license plated to display incorrect information.

 

Second order would be using them to record location data, and will be undoubtedly used by law enforcement to track individuals where required....good or bad...

 

Then come the people who want to see the world burn...just display other information used to offend or confuse.

 

Should make for interesting reading though, I'm sure there will be something in the news in the future.

 

Hopefully there will be sufficient testing, appropriate consultation and required assessments prior to the eventual release to public.

CISOScott
Community Champion

Just an enhancement to a manual process now. I got pulled once because the police had a license plate scanner on their vehicle. It scanned every plate it came across and checked it for registration status. Once it came back with my registration had expired (2 days overdue), they pulled me. They gave me a warning ticket that would go away if I got it fixed within 3 days or become a full ticket if not fixed.

With these new digital plates they would have been able to know immediately and then been able to wait along my route or even drove to my house and issued a ticket. Now it will be interesting to see if they build in security or try to fix it later. Imagine if a hacker was able to change the contents, now the bank robber wouldn't necessarily have to steal a car, just steal the license plate info from an identical car and change their plate. What other information would the plate be collecting? Route information? Would it have a stop sensor to detect rolling through stop signs? Instant speeding tickets? Drunk driving/texting sensors?

Would the insurance company have access to the info? Would the DMV be able to sell the personal data of the users?

I agree there are a lot of potential privacy downsides, but there could also be upsides. This would help with autonomous cars as they would be able to determine where cars around them were (as long as license plates were in a standard location on every car). GPS systems could better predict traffic flow and where accidents were. It could reduce reckless speeders because they know they are being tracked and potentially given instant speeding tickets (i.e. You went 75 miles in one hour on an interstate that the speed limit was 55, therefore you were averaging 75 miles per hour). It could provide instant (or better) tracking location in the case of a stolen car, Amber alert, or another crime in progress.  It could track which cars were visiting known crime areas.

There would have to be lots of protections built into these plates like: Can anyone remove them and transfer them to another car? How are they programmed or updated? Would it retain any data in a crash? Could the data on them be destroyed if someone had done something wrong? And many more. 

HTCPCP-TEA
Contributor I

The list of benefits is long and no doubt the list of pitfalls longer.

 

I always think we underthink technologies slightly due to our human disposition. Rather than retrospectively handing out speeding fines, why not have technology recognise speed limit signs and limit the speed of the car.

 

Again, the biggest concern will always be those who choose to break the rules, and of course worse still exploit the technology for personal benefit.

 

It will be fun, and it will be a headache. But when is anything simple for the IT/InfoSec pro's out there these days?

CISOScott
Community Champion

@HTCPCP-TEA Those are some really good ideas!

 

But then the cynic in me remembers the movies like iRobot where we make machines to help the human race with a condition that the machines cannot do anything to harm humans; but the machines, through artificial intelligence, realize that humans are the biggest threat to humans so in order to protect humans it is best if they just stay inside with no interactions with other humans  and let the robots do everything.

 

Or the Bruce Willis movie Live Free or Die Hard where they talk about the "fire sale" where an evil hacker takes over the IT infrastructure and through "fake media" convinces the nation that the government buildings have been destroyed and cripples the nations IT infrastructure. I can see some teenage hackers trying to hack into the speed limit signs and make everyone do 100 MPH. Can you imagine the havoc that would cause?

HTCPCP-TEA
Contributor I

Thankfully, up to now all we can do is imagine the chaos that would come to be.

 

I too have a cynical side and can see exactly what your getting at. It's the first stop in my mind, "What could be manipulated to cause harm or issue".

 

Is this a case for Blockchain type technologies? Something that is nigh on impossible to break into (Please show me an affordable model for this if possible haha)

 

But the other side of me can see so many benefits to be realised. Technology really could make huge positive strides if it could be secured efficiently and appropriately at all levels.

 

Unfortunatley, we have so many interconnected devices it's now a case of retrosepctively addressing issues.

 

Fun times!

rslade
Influencer II


@HTCPCP-TEA wrote:
Is this a case for Blockchain type technologies? Something that is nigh on impossible to break into

Blockchain?  In a "store-and-forward" situation with only random and intermittent connections?  Covering thousands of interactions per day, over tens, if not hundreds, of millions of devices?

 

No.  I think I can safely say that this is definitely a situation where "Blockchain is NOT the answer" applies.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
HTCPCP-TEA
Contributor I

Apologies,

 

I don't think I came accross in the intended manner here.

 

When I mentioned Blockchain, it was an attempt at a Tongue-in-Cheek comment. I've seen a lot of publications recently that suggets blcokschain is the answer to all our problems, and not on this forum I hasten to add...

 

Entirely my fault, but thought I'd clarify.

 

Cheers

 

Baechle
Advocate I

Robert,

 

Nice find.

 


@rslade wrote:

According to reports, Sacramento, California, will test out "digital" license plates.  The trial appears to be limited to 24 plates.


It looks like the trial deals with City employees and City vehicles, first.


@rslade wrote:

I trust it is not too difficult to point out the huge numbers of ways these plates could be attacked or misused.


I don't think it's difficult to propose hypothetical ways this could be abused technologically.  However, I think the lead in of the article, "Big Brother style digital license plates," begins to point at likely problems with adopting this technology in the near term in the U.S.

 

There have already been several court hearings and decisions on the use of GPS tracking of private vehicles in the United States.  In the United States, government surveillance apparently applies to all of government, and not just Law Enforcement entities.  It appears that Transportation believes it can circumvent surveillance protections if it just builds GPS into the license plate device.  I hypothesize that if this plate becomes mandatory, it will be tantamount to government coercion to submit to state surveillance - and likely to fail in the court.

 

Another point that this article brings up is the ability for Transportation to sell targeted advertisement time on parked vehicles.  This is yet another concern in the U.S. for violating freedom of speech, or compelling speech.  I'm not sure I'm comfortable with having my car advertise anything, let alone something I disagree with that could reflect negatively upon my character through no fault of my own.  That's especially true if someone is making money off the advertisement on my vehicle, other than me.

 

And these two points don't even get into the technology problems with the devices being cloned, hacked, etc.  It seems like a cool and futuristic idea, but I don't think I'll be in line to adopt it even if I do have to pay out an extra $650 for new tech gear (for some reason this has become a marketing thing?... like My phone costs $100 more than your phone type deal?).  I mean this is kind of the reason, I drive a 15 year old car... so I can still change my idle with a screwdriver rather than having some nitwit across the street with a laptop blow my motor or lock my brakes up.

 

rslade
Influencer II

And, yet another thing to learn.  Once you have posted something, you can edit it, but you can't delete it.

 

"You can edit any time you like, but you can never delete!

Welcome to the Hotel Comm-Ooon-It-Ee!" o/'


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468