[BreachExchange] Nine million logs of Brits' road journeys spill onto the internet from password-less number-plate camera dashboard
Destry Winant
destry at riskbasedsecurity.com
Fri May 1 10:17:10 EDT 2020
https://www.theregister.co.uk/2020/04/28/anpr_sheffield_council/
Exclusive In a blunder described as "astonishing and worrying,"
Sheffield City Council's automatic number-plate recognition (ANPR)
system exposed to the internet 8.6 million records of road journeys
made by thousands of people, The Register can reveal.
The ANPR camera system's internal management dashboard could be
accessed by simply entering its IP address into a web browser. No
login details or authentication of any sort was needed to view and
search the live system – which logs where and when vehicles,
identified by their number plates, travel through Sheffield's road
network.
Britain's Surveillance Camera Commissioner Tony Porter described the
security lapse as "both astonishing and worrying," and demanded a full
probe into the snafu.
He told us: "As chair of the National ANPR Independent Advisory Group,
I will be requesting a report into this incident. I will focus on the
comprehensive national standards that exist and look towards any
emerging compliance issues or failure thereof."
Eugene Walker, Sheffield City Council's executive director of
resources, together with Assistant Chief Constable David Hartley of
South Yorkshire Police, told us:
We take joint responsibility for working to address this data breach.
It is not an acceptable thing to have occurred. However, it is
important to be very clear that, to the best of our knowledge, nobody
came to any harm or suffered any detrimental effects as a result of
this breach.
The Register learned of the unprotected dashboard from infosec expert
and author Chris Kubecka, working with freelance writer Gerard
Janssen, who stumbled across it using search engine Censys.io. She
said: "Was the public ever told the system would be in place and that
the risks were reasonable? Was there an opportunity for public
discourse – or, like in Hitchhiker's Guide to the Galaxy, were the
plans in a planning office at an impossible or undisclosed location?"
A screenshot of Sheffield City Council's leaked ANPR management
dashboard, sent to The Register ... Click to enlarge
The unsecured management dashboard could have been used by anyone who
found it to reconstruct a particular vehicle's journey, or series of
journeys, from its number plate, right down to the minute with ease. A
malicious person could have renamed the cameras or altered key
metadata shown to operators, such as a camera's location, direction,
and unique identifying number.
Privacy International's Edin Omanovic lamented over the
privacy-busting potential of the system, telling The Register: "Time
and again we've seen the introduction of surveillance tech for very
specific purposes, only to creep into other areas of enforcement."
Omanovic continued:
ANPR use must be proportionate to the problem it's trying to address –
it's not supposed to be a tool of mass surveillance. Both the council
and police have a responsibility to ensure their use is proportionate
and subject to a data protection impact assessment. They must both now
explain how exactly they are using this system, how their use is
consistent with data protection rules, how it came to be that this
data was exposed, and what changes they've made to ensure it never
happens again.
The dashboard was taken offline within a few hours of The Register
alerting officials. Sheffield City Council and South Yorkshire Police
added: "As soon as this was brought to our attention we took action to
deal with the immediate risk and ensure the information was no longer
viewable externally. Both Sheffield City Council and South Yorkshire
Police have also notified the Information Commissioner's Office. We
will continue to investigate how this happened and do everything we
can to ensure it will not happen again."
A total of 8,616,198 records of vehicle movements, by time, location,
and number plate, could be searched through the dashboard last week,
The Register understands. This number constantly grew as more and more
number plates were captured by the 100 live cameras feeding the
system, and locations of vehicles were logged along with timestamps.
A screenshot showing a number plate's journey through the Sheffield
ANPR network, sent to The Register. On the left, the location of the
camera that spotted the plate and timestamps, and on the right, the
number plate. Full details have been obscured for privacy reasons ...
Click to enlarge
One camera alone recorded at least 13,000 number plates on Thursday,
April 13 – having previously captured 21,000 on Monday, February 24,
before the UK entered its coronavirus lockdown, we understand.
The exposed dashboard was in active use, we were reliably told, with
entries in the logs being processed and marked as "cleared" as
recently as last Wednesday (22nd April). We understand some links on
the publicly exposed dashboard, however, returned error messages when
clicked on, such as the so-called "hot list."
'Traffic enforcement camera'
The dashboard's cameras were identified as belonging to Sheffield City
Council after their descriptions were matched with a November 21, 2018
council document [PDF, 32 pages] and its weighty appendix [PDF, 132
pages] approving a "clean air zone" proposal. Modelled on London's
lucrative congestion tax, which grossed £230m in FY2018-19 [PDF, page
106], the proposed clean-air zone for Sheffield – in which certain
vehicles are charged a daily fee for driving into the city centre –
was to be enforced by the council's ANPR camera network, installed in
2014.
Nowhere in the public-facing 32-page council document nor the 132-page
appendix is the word "privacy" mentioned let alone "privacy impact
assessment." The only impact assessment mentioned as being carried out
was an equality one, allegedly to ensure "different communities" in
Sheffield wouldn't object to the low-emission zone.
The ANPR dashboard began recording on November 20, 2018. The camera
locations and backend system date back to their 2014 deployment.
Helpfully, the council document set out examples of signs bureaucrats
promised would be erected to warn drivers they were under automated
surveillance.
What the council said it would erect around its cameras
"At all boundary entry points a sign to inform drivers that ANPR
camera technology is in use for enforcement purposes will be erected,"
the council document declared.
While locating about half of the council cameras by eye with Google
Street View, with the imagery dating from 2019, neither El Reg nor
Kubecka noticed signs explicitly mentioning ANPR – but there was no
shortage of obscurely worded "traffic enforcement" signs along with
the folding Brownie camera-like graphic associated for decades with
speed cams.
ANPR camera just off Hunter's Bar Roundabout in Sheffield. Note the
vandalized 'traffic enforcement' warning sign immediately in front of
it
Above is an example of what the council actually put up in Sheffield
city centre next to one of its ANPR cameras.
Security? Not even through obscurity
An infosec researcher who asked not to be named looked at the server
hosting the ANPR dashboard, and told us its configuration revealed the
existence of an SFTP account as well as the address of a storage drive
filled with raw ANPR images. In addition, we were told the IPv4
addresses of each and every camera was exposed through the dashboard.
Typically, ANPR systems consist of regular CCTV cameras feeding a
software backend that scans captured still images with optical
character recognition technology to isolate and identify number
plates. Raw images sometimes capture the faces of drivers and
passengers, as well as pedestrians passing by, people entering and
leaving homes and shops, as well as anyone they happen to meet in
sight of a camera. All of this could have been extracted by a hacker
who guessed or brute-forced the password to the image storage server
after finding the unsecured dashboard.
The dashboard also included a live-updating map that allowed anyone to
pinpoint the precise location of a vehicle as it showed up on the ANPR
system in real time. And, if you're wondering who supplied this
technology, every page we were sent has 3M Neology at the top:
Lawyers for ANPR dashboard maker Neology told The Register the
Sheffield system was put together by American megacorp 3M in September
2014. Around the same time, the business unit building the system was
sold to Neology, with the lawyers insisting "our client has not been
responsible for the management of the system" since then.
Back in 2011, South Yorkshire Police (SYP) led Britain in the ignoble
national ANPR surveillance camera league table, as we reported at the
time.
More information about the BreachExchange
mailing list