Lack of Basic Security Measures on Sheffield’s ANPR System Exposes 8.6 Million Records of Vehicle Movements and License Plate Numbers

Earlier this week, security researcher Chris Kubecka and freelance writer Gerard Jannsen stumbled upon a major security flaw in Sheffield City Council’s automatic number-plate recognition (ANPR), exposing 8.6 million records of vehicle movements and journeys of citizens.

Following the discovery, the pair shared their findings with The Register website, who publicly shared the story and informed district authorities.
It appears that accessing ANPR’s internal dashboard was a piece of cake. No authentication methods or credentials were required, and anyone could have viewed or browsed the live system with a simple copy-paste of its IP address.

In response to the news, representative from Sheffield City Council’s and South Yorkshire Police, told The Register:

“We take joint responsibility for working to address this data breach. It is not an acceptable thing to have occurred. However, it is important to be very clear that, to the best of our knowledge, nobody came to any harm or suffered any detrimental effects as a result of this breach.”

Although there were no signs of malice, viewing the ANPR system in real time along with millions of recorded vehicle details and travel logs could have seriously endangered citizens. By simply using their license plate numbers, bad actors could have tracked down any vehicle travelling around the city and stage an attack or robbery.

If the lack of protection for private information is not enough to fill up your plate, the IT publication also revealed that the servers hosting the ANPR dashboard were home to a storage drive address. It featured millions of snapshots taken from the county’s 100 surveillance cameras that provide a constant feed to the system, including license plates, faces of drivers or passengers and nearby pedestrians.

As a result, Sheffield City Council and South Yorkshire Police have reported to the Information Commissioners Office and confirmed that the database is no longer viewable to the public:

“As soon as this was brought to our attention we took action to deal with the immediate risk and ensure the information was no longer viewable externally. Both Sheffield City Council and South Yorkshire Police have also notified the Information Commissioner’s Office. We will continue to investigate how this happened and do everything we can to ensure it will not happen again.”