UK City Leaves Nearly Nine Million License Plate/Location Data Records Exposed On The Open Web

from the city-hopes-to-one-day-achieve-minimum-competence dept

Government officials always remind us that the price of order and lawfulness requires us, as a society, to give up some of our privacy and liberty. It shouldn’t be that way, but it almost always is.

For UK motorists, the exchange rate for orderly motorway traffic is millions of their travel records left exposed on the open internet.

In a blunder described as “astonishing and worrying,” Sheffield City Council’s automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people, The Register can reveal.

The ANPR camera system’s internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles, identified by their number plates, travel through Sheffield’s road network.

Oh my no. This isn’t acceptable. Sure, the Surveillance Camera Commissioner (yes, that’s a thing in the UK) called it “astonishing and worrying,” but even those terms fail to capture the horrendousness of this blunder. If it seems like a lot of records to leave unsecured on the open web, it is. It could allow anyone to retrace the travels of thousands of drivers with minimal effort.

It takes a while to amass nearly nine million license plate photos, but not nearly as long as one might expect. As The Register points out, the system’s 100 cameras collect thousands of photos every day. On February 24, the cameras collected 21,000 photos. The only thing slowing the system down is the coronavirus. Stay at home orders dropped the record collection down to a more manageable 13,000 records on April 13.

The massive system went live in 2018, accompanied by documents that do not contain the word “privacy” anywhere in their 164-pages of bureaucratese. Apparently, no one bothered to perform any sort of penetration test that might have discovered this wide-open door before security researchers did. The best summation of this clusterfuck comes from the person who discovered the unsecured license plate portal.

The Register learned of the unprotected dashboard from infosec expert and author Chris Kubecka, working with freelance writer Gerard Janssen, who stumbled across it using search engine She said: “Was the public ever told the system would be in place and that the risks were reasonable? Was there an opportunity for public discourse – or, like in Hitchhiker’s Guide to the Galaxy, were the plans in a planning office at an impossible or undisclosed location?”

The Sheffield City Council’s response to the news is less than comforting. While properly calling the breach unacceptable, the city (and the local assistant chief constable) claims (without offering any evidence) that no one was “harmed” or “suffered any detrimental effects” from the exposed database. I beg to differ. It quite clearly harmed the trust drivers may have had in their local government and didn’t do any favors for the traffic camera system provider either. Overseeing a system whose pervasiveness is only surpassed by its insecurity seems pretty detrimental to the “there’s always a tradeoff” posturing governments use when subjecting constituents to even more omnipresent surveillance.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “UK City Leaves Nearly Nine Million License Plate/Location Data Records Exposed On The Open Web”

Subscribe: RSS Leave a comment
Anonymous Anonymous Coward (profile) says:

Lazy or incompetent?

I don’t see the need to put this kind of data on an Internet accessible device. If other government agencies need access, couldn’t they be given access to a private network that isn’t Internet connected? Sure, over the Internet is easier, but only if one does not bother with properly securing the data, which would mean encrypting it among other things.

PaulT (profile) says:

Re: Lazy or incompetent?

Why not both? The possible scenarios I can imagine:

  1. Nobody considered security when designing the system, they were pressured to get something functional available rather than design the best option
  2. Security was considered but it was intended to be on a private network, not on the public internet and someone cocked up the rollout, or made changes after the original deployment that weren’t properly tested
  3. It was intended to be on the public internet, but testing was defunded, or some manager overrode the tests to get it operational before the tests were complete.

There’s other possibilities but my experience tells me it’s likely to be one of the above.

Scary Devil Monastery (profile) says:

The more things change...

"Was there an opportunity for public discourse – or, like in Hitchhiker’s Guide to the Galaxy, were the plans in a planning office at an impossible or undisclosed location?"

People keep forgetting that the reason so much of Douglas Adams works as fine sarcasm is because it is eminently recognizable from real life.

Authorities have always been big on the "…you’ve got nothing to hide" rhetoric while being similarly big on making sure their own maneuvers around the security theatre performance they’re about to pull is, if not hidden then placed in a location which is inconvenient to access.

The irony is that in the UK as in everywhere else it might not be that the authorities DO have anything to hide, specifically. They just have this inexplicable urge to do their business in private, if you don’t mind…

ECA (profile) says:

really have to ask...

Is this real?
Is this part of a conspiracy?
HOW bad is it to setup a computer and protect it.
Havnt we been thru this Allot in recent years and the understanding of ‘What not to do’ Should be clear.
But, there are new occurrences every day. and it seems not to be slowing down.
There must be some powerful systems and protection for google, amazon, and a few others..
MAYBE they have real sysops and admins watching things.
Maybe they installed a Better front end, and not direct access to the system.
Maybe the big corps install honeypots and other protections that have bells and whistles to warn them of mistakes.

And I would still love to know what server OS they are running. Or did they just Slap it together and let it work.

Coyne Tibbets (profile) says:

Something don't seem right

I am wondering where these "100 cameras" are located. Timbuktu, maybe? According to them, the cameras recorded 21,000 cars per day. But that boils down to 210 cars per camera. One station on Colonial Blvd in Orange County Florida tracked 65,000 cars/day (well, it’s a busy street).

Okay, Sheffield is smaller than Orlando, but still…these roads must be pretty darn remote. Either that or someone has fudged a number somewhere.

PaulT (profile) says:

Re: Something don't seem right

Well, for one thing cities outside the US can tend to be a lot less car obsessive, with decent public transportation and other forms of transport being more common. My experience is that US cities are often designed so it’s impossible to make most journeys without a car, while elsewhere other forms of transport can be preferable. British cities actually have taken a directions of building car-free areas, closing off city centre streets to cars, and I know that Sheffield has buses, trams and trains as well as cycle networks.

You also seem to be assuming that the point of these cameras is to monitor major roads, but that doesn’t seem to be evident from the article. It’s likely that their purpose is to monitor streets where cars have already been restricted to traffic, rather than just trying to gobble up data on anyone exiting the M1 toward it.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...