Number-Plate Cam Site Had No Password, Spills 8.6 Million Logs of UK Road Journeys

The Register reports that Sheffield City Council’s automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people. From the report: The ANPR camera system’s internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system — which logs where and when vehicles, identified by their number plates, travel through Sheffield’s road network. Britain’s Surveillance Camera Commissioner Tony Porter described the security lapse as “both astonishing and worrying,” and demanded a full probe into the snafu. He told us: “As chair of the National ANPR Independent Advisory Group, I will be requesting a report into this incident. I will focus on the comprehensive national standards that exist and look towards any emerging compliance issues or failure thereof.”

The unsecured management dashboard could have been used by anyone who found it to reconstruct a particular vehicle’s journey, or series of journeys, from its number plate, right down to the minute with ease. A malicious person could have renamed the cameras or altered key metadata shown to operators, such as a camera’s location, direction, and unique identifying number. A total of 8,616,198 records of vehicle movements, by time, location, and number plate, could be searched through the dashboard last week, The Register understands. This number constantly grew as more and more number plates were captured by the 100 live cameras feeding the system, and locations of vehicles were logged along with timestamps. The dashboard was taken offline within a few hours of The Register alerting officials.