Exclusive In a blunder described as "astonishing and worrying," Sheffield City Council's automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people, The Register can reveal.
The ANPR camera system's internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles, identified by their number plates, travel through Sheffield's road network.
Britain's Surveillance Camera Commissioner Tony Porter described the security lapse as "both astonishing and worrying," and demanded a full probe into the snafu.
He told us: "As chair of the National ANPR Independent Advisory Group, I will be requesting a report into this incident. I will focus on the comprehensive national standards that exist and look towards any emerging compliance issues or failure thereof."
Eugene Walker, Sheffield City Council's executive director of resources, together with Assistant Chief Constable David Hartley of South Yorkshire Police, told us:
We take joint responsibility for working to address this data breach. It is not an acceptable thing to have occurred. However, it is important to be very clear that, to the best of our knowledge, nobody came to any harm or suffered any detrimental effects as a result of this breach.
The Register learned of the unprotected dashboard from infosec expert and author Chris Kubecka, working with freelance writer Gerard Janssen, who stumbled across it using search engine Censys.io. She said: "Was the public ever told the system would be in place and that the risks were reasonable? Was there an opportunity for public discourse – or, like in Hitchhiker's Guide to the Galaxy, were the plans in a planning office at an impossible or undisclosed location?"
A screenshot of Sheffield City Council's leaked ANPR management dashboard, sent to The Register ... Click to enlarge
The unsecured management dashboard could have been used by anyone who found it to reconstruct a particular vehicle's journey, or series of journeys, from its number plate, right down to the minute with ease. A malicious person could have renamed the cameras or altered key metadata shown to operators, such as a camera's location, direction, and unique identifying number.
Privacy International's Edin Omanovic lamented over the privacy-busting potential of the system, telling The Register: "Time and again we've seen the introduction of surveillance tech for very specific purposes, only to creep into other areas of enforcement." Omanovic continued:
ANPR use must be proportionate to the problem it's trying to address – it's not supposed to be a tool of mass surveillance. Both the council and police have a responsibility to ensure their use is proportionate and subject to a data protection impact assessment. They must both now explain how exactly they are using this system, how their use is consistent with data protection rules, how it came to be that this data was exposed, and what changes they've made to ensure it never happens again.
The dashboard was taken offline within a few hours of The Register alerting officials. Sheffield City Council and South Yorkshire Police added: "As soon as this was brought to our attention we took action to deal with the immediate risk and ensure the information was no longer viewable externally. Both Sheffield City Council and South Yorkshire Police have also notified the Information Commissioner's Office. We will continue to investigate how this happened and do everything we can to ensure it will not happen again."
A total of 8,616,198 records of vehicle movements, by time, location, and number plate, could be searched through the dashboard last week, The Register understands. This number constantly grew as more and more number plates were captured by the 100 live cameras feeding the system, and locations of vehicles were logged along with timestamps.
A screenshot showing a number plate's journey through the Sheffield ANPR network, sent to The Register. On the left, the location of the camera that spotted the plate and timestamps, and on the right, the number plate. Full details have been obscured for privacy reasons ... Click to enlarge
One camera alone recorded at least 13,000 number plates on Thursday, April 13 – having previously captured 21,000 on Monday, February 24, before the UK entered its coronavirus lockdown, we understand.
The exposed dashboard was in active use, we were reliably told, with entries in the logs being processed and marked as "cleared" as recently as last Wednesday (22nd April). We understand some links on the publicly exposed dashboard, however, returned error messages when clicked on, such as the so-called "hot list."
'Traffic enforcement camera'
The dashboard's cameras were identified as belonging to Sheffield City Council after their descriptions were matched with a November 21, 2018 council document [PDF, 32 pages] and its weighty appendix [PDF, 132 pages] approving a "clean air zone" proposal. Modelled on London's lucrative congestion tax, which grossed £230m in FY2018-19 [PDF, page 106], the proposed clean-air zone for Sheffield – in which certain vehicles are charged a daily fee for driving into the city centre – was to be enforced by the council's ANPR camera network, installed in 2014.
Nowhere in the public-facing 32-page council document nor the 132-page appendix is the word "privacy" mentioned let alone "privacy impact assessment." The only impact assessment mentioned as being carried out was an equality one, allegedly to ensure "different communities" in Sheffield wouldn't object to the low-emission zone.
The ANPR dashboard began recording on November 20, 2018. The camera locations and backend system date back to their 2014 deployment. Helpfully, the council document set out examples of signs bureaucrats promised would be erected to warn drivers they were under automated surveillance.
"At all boundary entry points a sign to inform drivers that ANPR camera technology is in use for enforcement purposes will be erected," the council document declared.
While locating about half of the council cameras by eye with Google Street View, with the imagery dating from 2019, neither El Reg nor Kubecka noticed signs explicitly mentioning ANPR – but there was no shortage of obscurely worded "traffic enforcement" signs along with the folding Brownie camera-like graphic associated for decades with speed cams.
ANPR camera just off Hunter's Bar Roundabout in Sheffield. Note the vandalized 'traffic enforcement' warning sign immediately in front of it
Above is an example of what the council actually put up in Sheffield city centre next to one of its ANPR cameras.
Security? Not even through obscurity
An infosec researcher who asked not to be named looked at the server hosting the ANPR dashboard, and told us its configuration revealed the existence of an SFTP account as well as the address of a storage drive filled with raw ANPR images. In addition, we were told the IPv4 addresses of each and every camera was exposed through the dashboard.
Typically, ANPR systems consist of regular CCTV cameras feeding a software backend that scans captured still images with optical character recognition technology to isolate and identify number plates. Raw images sometimes capture the faces of drivers and passengers, as well as pedestrians passing by, people entering and leaving homes and shops, as well as anyone they happen to meet in sight of a camera. All of this could have been extracted by a hacker who guessed or brute-forced the password to the image storage server after finding the unsecured dashboard.
The dashboard also included a live-updating map that allowed anyone to pinpoint the precise location of a vehicle as it showed up on the ANPR system in real time. And, if you're wondering who supplied this technology, every page we were sent has 3M Neology at the top:
Lawyers for ANPR dashboard maker Neology told The Register the Sheffield system was put together by American megacorp 3M in September 2014. Around the same time, the business unit building the system was sold to Neology, with the lawyers insisting "our client has not been responsible for the management of the system" since then.
Back in 2011, South Yorkshire Police (SYP) led Britain in the ignoble national ANPR surveillance camera league table, as we reported at the time.
SYP managed to scan 726 million number plates last year, as trade mag Auto Express revealed last December. ®
Sponsored: Webcast: Ransomware has gone nuclear