Exclusive In a blunder described as "astonishing and worrying," Sheffield City Council's automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people, The Register can reveal. The ANPR camera system's internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles, identified by their number plates, travel through Sheffield's road network. Britain's Surveillance Camera Commissioner Tony Porter described the security lapse as "both astonishing and worrying," and demanded a full probe into the snafu. He told us: "As chair of the National ANPR Independent Advisory Group, I will be requesting a report into this incident. I will focus on the comprehensive national standards that exist and look towards any emerging compliance issues or failure thereof." Eugene Walker, Sheffield City Council's executive director of resources, together with Assistant Chief Constable David Hartley of South Yorkshire Police, told us:
We take joint responsibility for working to address this data breach. It is not an acceptable thing to have occurred. However, it is important to be very clear that, to the best of our knowledge, nobody came to any harm or suffered any detrimental effects as a result of this breach.
The Register learned of the unprotected dashboard from infosec expert and author Chris Kubecka, who stumbled across it using search engine Censys.io. She said: "Was the public ever told the system would be in place and that the risks were reasonable? Was there an opportunity for public discourse – or, like in Hitchhiker's Guide to the Galaxy, were the plans in a planning office at an impossible or undisclosed location?" The unsecured management dashboard could have been used by anyone who found it to reconstruct a particular vehicle's journey, or series of journeys, from its number plate, right down to the minute with ease. A malicious person could have renamed the cameras or altered key metadata shown to operators, such as a camera's location, direction, and unique identifying number. Privacy International's Edin Omanovic lamented over the privacy-busting potential of the system, telling The Register: "Time and again we've seen the introduction of surveillance tech for very specific purposes, only to creep into other areas of enforcement." Omanovic continued:
ANPR use must be proportionate to the problem it's trying to address – it's not supposed to be a tool of mass surveillance. Both the council and police have a responsibility to ensure their use is proportionate and subject to a data protection impact assessment. They must both now explain how exactly they are using this system, how their use is consistent with data protection rules, how it came to be that this data was exposed, and what changes they've made to ensure it never happens again.
The dashboard was taken offline within a few hours of The Register alerting officials. Sheffield City Council and South Yorkshire Police added: "As soon as this was brought to our attention we took action to deal with the immediate risk and ensure the information was no longer viewable externally. Both Sheffield City Council and South Yorkshire Police have also notified the Information Commissioner's Office. We will continue to investigate how this happened and do everything we can to ensure it will not happen again." A total of 8,616,198 records of vehicle movements, by time, location, and number plate, could be searched through the dashboard last week, The Register understands. This number constantly grew as more and more number plates were captured by the 100 live cameras feeding the system, and locations of vehicles were logged along with timestamps. One camera alone recorded at least 13,000 number plates on Thursday, April 13 – having previously captured 21,000 on Monday, February 24, before the UK entered its coronavirus lockdown, we understand. The exposed dashboard was in active use, we were reliably told, with entries in the logs being processed and marked as "cleared" as recently as last Wednesday (22nd April). We understand some links on the publicly exposed dashboard, however, returned error messages when clicked on, such as the so-called "hot list." Continua su https://www.theregister.co.uk/2020/04/28/anpr_sheffield_council/ Nessuno degli informatici in lista sarà particolarmente sorpreso. E magari chissà... è una "discreta drammatizzazione". ;-) Giacomo