UK City Leaves Nearly Nine Million License Plate/Location Data Records Exposed On The Open Web
from the city-hopes-to-one-day-achieve-minimum-competence dept
Government officials always remind us that the price of order and lawfulness requires us, as a society, to give up some of our privacy and liberty. It shouldn’t be that way, but it almost always is.
For UK motorists, the exchange rate for orderly motorway traffic is millions of their travel records left exposed on the open internet.
In a blunder described as “astonishing and worrying,” Sheffield City Council’s automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people, The Register can reveal.
The ANPR camera system’s internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles, identified by their number plates, travel through Sheffield’s road network.
Oh my no. This isn’t acceptable. Sure, the Surveillance Camera Commissioner (yes, that’s a thing in the UK) called it “astonishing and worrying,” but even those terms fail to capture the horrendousness of this blunder. If it seems like a lot of records to leave unsecured on the open web, it is. It could allow anyone to retrace the travels of thousands of drivers with minimal effort.
It takes a while to amass nearly nine million license plate photos, but not nearly as long as one might expect. As The Register points out, the system’s 100 cameras collect thousands of photos every day. On February 24, the cameras collected 21,000 photos. The only thing slowing the system down is the coronavirus. Stay at home orders dropped the record collection down to a more manageable 13,000 records on April 13.
The massive system went live in 2018, accompanied by documents that do not contain the word “privacy” anywhere in their 164-pages of bureaucratese. Apparently, no one bothered to perform any sort of penetration test that might have discovered this wide-open door before security researchers did. The best summation of this clusterfuck comes from the person who discovered the unsecured license plate portal.
The Register learned of the unprotected dashboard from infosec expert and author Chris Kubecka, working with freelance writer Gerard Janssen, who stumbled across it using search engine Censys.io. She said: “Was the public ever told the system would be in place and that the risks were reasonable? Was there an opportunity for public discourse – or, like in Hitchhiker’s Guide to the Galaxy, were the plans in a planning office at an impossible or undisclosed location?”
The Sheffield City Council’s response to the news is less than comforting. While properly calling the breach unacceptable, the city (and the local assistant chief constable) claims (without offering any evidence) that no one was “harmed” or “suffered any detrimental effects” from the exposed database. I beg to differ. It quite clearly harmed the trust drivers may have had in their local government and didn’t do any favors for the traffic camera system provider either. Overseeing a system whose pervasiveness is only surpassed by its insecurity seems pretty detrimental to the “there’s always a tradeoff” posturing governments use when subjecting constituents to even more omnipresent surveillance.