Exclusive In an error described as “astonishing and disturbing”, the Sheffield City Council's automatic license plate recognition (ANPR) system exposed the Internet to 8.6 million road trip records made by thousands of people, The register can reveal.
The internal management dashboard of the ANPR camera system is accessible by simply entering its IP address in a web browser. No connection information or authentication of any kind was required to view and search the live system – which records where and when vehicles, identified by their license plates, cross the Sheffield road network.
British surveillance camera commissioner Tony Porter called the security failure “both astonishing and worrisome” and demanded a full investigation into the snafu.
He told us, “As chairman of the ANPR National Independent Advisory Group, I will request a report on this incident. I will focus on the comprehensive national standards that exist and examine emerging compliance issues or their failure.”
Eugene Walker, executive director of resources for the Sheffield City Council, and deputy chief David Hartley of the South Yorkshire police, told us:
The register learned the unprotected dashboard from infoec author and expert Chris Kubecka, who discovered it using the Censys.io search engine. She said: “Has the public ever been informed that the system would be in place and that the risks were reasonable? Was there an opportunity for public debate – or, as in Hitchhiker's Guide to the Galaxy, were the plans in a planning office at an impossible or undisclosed location? “
A screenshot of the disclosed ANPR management dashboard from the Sheffield City Council, sent to The register … Click to enlarge
The unsecured management dashboard could have been used by anyone who found it to easily reconstruct the journey of a particular vehicle, or a series of journeys, from its license plate, up to the minute. An attacker could have renamed the cameras or changed the key metadata presented to operators, such as the location, direction, and unique identification number of a camera.
Edin Omanovic of Privacy International lamented the potential for privacy breaches in the system, saying The register: “Time and time again, we have seen the introduction of surveillance technology for very specific purposes, only to slip into other areas of application.” Omanovic continued:
The dashboard was taken offline a few hours later The register alert officials. Sheffield City Council and South Yorkshire police added: “As soon as it was brought to our attention, we took steps to address the immediate risk and to make the information no longer visible to the Sheffield City Council and South Yorkshire Police have also informed the Office of the Information Commissioner and we will continue to investigate how this has happened and do our best to ensure that it does not happen. reproduce more. “
A total of 8,616,198 vehicle movement records, by hour, place and license plate, were available on the dashboard last week, The register understand. This number has steadily increased as more and more license plates were captured by the 100 live cameras feeding the system, and vehicle locations were recorded with time stamps.
A screen capture showing the route of a license plate through the Sheffield ANPR network, sent to The register. On the left, the location of the camera that spotted the plate and the time stamps, and on the right, the license plate. All details have been hidden for reasons of confidentiality … Click to enlarge
A camera alone recorded at least 13,000 license plates on Thursday, April 13 – after capturing 21,000 on Monday, February 24, before the United Kingdom entered its coronavirus lock, we understand.
The exposed dashboard was in use, we were told reliably, journal entries being processed and marked as “deleted” as recently as last Wednesday (April 22). We understand that some links on the publicly exposed dashboard, however, have returned error messages when clicked, such as the so-called “pick list”.
“Traffic enforcement camera”
Dashboard cameras were identified as belonging to the Sheffield City Council after their descriptions were associated with a board dated November 21, 2018 document [PDF, 32 pages] and his weight appendage [PDF, 132 pages] approve a proposal for a “fresh air zone”. Modeled after the lucrative London congestion tax, which raised £ 230 million in the 2018-19 financial year[[[[PDF, page 106], the Sheffield clean air zone proposal – in which some vehicles are charged a daily fee to get to the city center – was to be implemented by the board's ANPR camera network, installed in 2014.
Nowhere in the 32-page Council document accessible to the public, nor in the 132-page annex, does the word “privacy” appear, let alone “impact assessment on privacy”. The only impact assessment mentioned as being carried out was an equality assessment, allegedly to ensure that “different communities” in Sheffield would not oppose the low emission area.
The ANPR dashboard began recording on November 20, 2018. The locations of the cameras and the backend system date back to their deployment in 2014. Usefully, the Council document gave examples of signs promised by bureaucrats to warn drivers that they were under automated surveillance.
“At all border entry points, a sign informing drivers that ANPR camera technology is used for law enforcement purposes will be erected,” said the council document.
While locating about half of the council's cameras with the naked eye with Google Street View, with images dating from 2019, neither El Reg nor did Kubecka notice signs explicitly mentioning ANPR – but there was no shortage of obscurely worded “traffic control” signs with the foldable Brownie camera-like graphic associated with radars for decades.
ANPR camera just next to the Hunter's Bar roundabout in Sheffield. Note the vandalized “traffic application” warning sign just opposite
Above is an example of what the council actually installed in downtown Sheffield next to one of its ANPR cameras.
Security? Not even in the dark
An Infosec researcher who asked not to be named looked at the server hosting the ANPR dashboard, and told us that its configuration revealed the existence of an SFTP account as well as the address of a reader. storage full of raw ANPR images. In addition, we were told that the IPv4 addresses of each camera were exposed through the dashboard.
Typically, ANPR systems consist of ordinary CCTV cameras that power a software backend that digitizes still images captured with optical character recognition technology to isolate and identify license plates. Raw images sometimes capture the faces of drivers and passengers, as well as passing pedestrians, people entering and leaving homes and shops, and anyone they meet on camera. All this could have been extracted by a hacker who guessed or roughly forced the password to the image storage server after finding the insecure dashboard.
The dashboard also included a live update map that allowed anyone to pinpoint the location of a vehicle as it appeared on the ANPR system in real time. And, if you're wondering who provided this technology, every page that was sent to us contains 3M Neology at the top:
Attorneys for ANPR Neology dashboard maker said The register the Sheffield system was set up by the American Megacorp 3M in September 2014. Around the same time, the business unit that built the system was sold at Neology, the lawyers insisted that “our client is not responsible for the management of the system” since then.
In 2011, the South Yorkshire Police (SYP) led Britain into the despicable National ranking table of ANPR surveillance cameras, as we reported at the time.
Webcast: Build the Next Generation of Your Business in the Public Cloud