UK City Leaves Nearly Nine Million License Plate/Location Data Records Exposed On The Open Web
from the city-hopes-to-one-day-achieve-minimum-competence dept
Government officials always remind us that the price of order and lawfulness requires us, as a society, to give up some of our privacy and liberty. It shouldn’t be that way, but it almost always is.
For UK motorists, the exchange rate for orderly motorway traffic is millions of their travel records left exposed on the open internet.
In a blunder described as “astonishing and worrying,” Sheffield City Council’s automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people, The Register can reveal.
The ANPR camera system’s internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles, identified by their number plates, travel through Sheffield’s road network.
Oh my no. This isn’t acceptable. Sure, the Surveillance Camera Commissioner (yes, that’s a thing in the UK) called it “astonishing and worrying,” but even those terms fail to capture the horrendousness of this blunder. If it seems like a lot of records to leave unsecured on the open web, it is. It could allow anyone to retrace the travels of thousands of drivers with minimal effort.
It takes a while to amass nearly nine million license plate photos, but not nearly as long as one might expect. As The Register points out, the system’s 100 cameras collect thousands of photos every day. On February 24, the cameras collected 21,000 photos. The only thing slowing the system down is the coronavirus. Stay at home orders dropped the record collection down to a more manageable 13,000 records on April 13.
The massive system went live in 2018, accompanied by documents that do not contain the word “privacy” anywhere in their 164-pages of bureaucratese. Apparently, no one bothered to perform any sort of penetration test that might have discovered this wide-open door before security researchers did. The best summation of this clusterfuck comes from the person who discovered the unsecured license plate portal.
The Register learned of the unprotected dashboard from infosec expert and author Chris Kubecka, working with freelance writer Gerard Janssen, who stumbled across it using search engine Censys.io. She said: “Was the public ever told the system would be in place and that the risks were reasonable? Was there an opportunity for public discourse – or, like in Hitchhiker’s Guide to the Galaxy, were the plans in a planning office at an impossible or undisclosed location?”
The Sheffield City Council’s response to the news is less than comforting. While properly calling the breach unacceptable, the city (and the local assistant chief constable) claims (without offering any evidence) that no one was “harmed” or “suffered any detrimental effects” from the exposed database. I beg to differ. It quite clearly harmed the trust drivers may have had in their local government and didn’t do any favors for the traffic camera system provider either. Overseeing a system whose pervasiveness is only surpassed by its insecurity seems pretty detrimental to the “there’s always a tradeoff” posturing governments use when subjecting constituents to even more omnipresent surveillance.
Filed Under: leak, license plate, location data, privacy, sheffield, uk
Comments on “UK City Leaves Nearly Nine Million License Plate/Location Data Records Exposed On The Open Web”
Your story completely contradicts itself.
Lazy or incompetent?
I don’t see the need to put this kind of data on an Internet accessible device. If other government agencies need access, couldn’t they be given access to a private network that isn’t Internet connected? Sure, over the Internet is easier, but only if one does not bother with properly securing the data, which would mean encrypting it among other things.
Re: Lazy or incompetent?
Why not both? The possible scenarios I can imagine:
There’s other possibilities but my experience tells me it’s likely to be one of the above.
The more things change...
"Was there an opportunity for public discourse – or, like in Hitchhiker’s Guide to the Galaxy, were the plans in a planning office at an impossible or undisclosed location?"
People keep forgetting that the reason so much of Douglas Adams works as fine sarcasm is because it is eminently recognizable from real life.
Authorities have always been big on the "…you’ve got nothing to hide" rhetoric while being similarly big on making sure their own maneuvers around the security theatre performance they’re about to pull is, if not hidden then placed in a location which is inconvenient to access.
The irony is that in the UK as in everywhere else it might not be that the authorities DO have anything to hide, specifically. They just have this inexplicable urge to do their business in private, if you don’t mind…
shouldn’t worry about it. once all this corona virus recognition crap has been forced on to us, every government everywhere will have exactly what they want, everyone of us bent over a barrel without a single morsel of freedom or privacy ever again!
really have to ask...
Is this real?
Is this part of a conspiracy?
HOW bad is it to setup a computer and protect it.
Havnt we been thru this Allot in recent years and the understanding of ‘What not to do’ Should be clear.
But, there are new occurrences every day. and it seems not to be slowing down.
There must be some powerful systems and protection for google, amazon, and a few others..
MAYBE they have real sysops and admins watching things.
Maybe they installed a Better front end, and not direct access to the system.
Maybe the big corps install honeypots and other protections that have bells and whistles to warn them of mistakes.
And I would still love to know what server OS they are running. Or did they just Slap it together and let it work.
Something don't seem right
I am wondering where these "100 cameras" are located. Timbuktu, maybe? According to them, the cameras recorded 21,000 cars per day. But that boils down to 210 cars per camera. One station on Colonial Blvd in Orange County Florida tracked 65,000 cars/day (well, it’s a busy street).
Okay, Sheffield is smaller than Orlando, but still…these roads must be pretty darn remote. Either that or someone has fudged a number somewhere.
Re: Something don't seem right
Well, for one thing cities outside the US can tend to be a lot less car obsessive, with decent public transportation and other forms of transport being more common. My experience is that US cities are often designed so it’s impossible to make most journeys without a car, while elsewhere other forms of transport can be preferable. British cities actually have taken a directions of building car-free areas, closing off city centre streets to cars, and I know that Sheffield has buses, trams and trains as well as cycle networks.
You also seem to be assuming that the point of these cameras is to monitor major roads, but that doesn’t seem to be evident from the article. It’s likely that their purpose is to monitor streets where cars have already been restricted to traffic, rather than just trying to gobble up data on anyone exiting the M1 toward it.
Lack of evidence?
What are the odds that the lack of evidence of any unathorised access is due to the fact it has no proper monitoring or logging function? There should have been evidence of access from either/both the Censys.io search engine or the security researcher at a minimum.