Software architect and Microsoft MVP, you’ll usually find me writing about security concepts and process improvement in software delivery.
When news came through recently about the Bondi Westfield shopping centre’s new “Find my car” feature, the security and privacy implications almost jumped off the page:
“Wait – so you mean all I do is enter a number plate – any number plate – and I get back all this info about other cars parked in the centre? Whoa.”
If that statement sounds a bit liberal, read on and you’ll see just how much information Westfield is intentionally disclosing to the public.
Intended use
Let’s begin with how the app looks to the end user. This all starts out life as the Westfield malls app in the iTunes app store and for some time now, it’s been able to help you find stores in the centre. As of recently though, it has a “Parking” feature which allows you to enter a number plate and get back a series of images then receive directions on how to navigate to the one which appears to be your vehicle. Perhaps Westfield drew inspiration from Seinfeld’s The Parking Garage on this one! Here’s how it all ties together:
To the casual user of the application, the number plates – and this is what I’m really talking about when I say “privacy” – appears to be indiscernible. Certainly it’s not clear from the images above but it’s also not clear after screen grabbing and expanding it:
The number plate is actually AWC11A, but we’ll get back to that.
Anyway, this is all made possible by using the Park Assist technology which puts the little guy in the image below on the roof between each park so they can both notify customers of vacant spots and snap pictures of them once they park:
The interesting bit though is that the implementation of this app readily exposes some fairly serious, rather extensive data that many people would probably be concerned about. And it doesn’t have to.
Under the covers
The way these smart phone apps tend to work is that when they have a dependency on external data retrieved from the internet, is they communicate backwards and forwards via services which travel over the same protocol as most of your other internet traffic – HTTP. Very often these services contain all sorts of information with only a small subset actually being exposed to the user via the application consuming the service. In Westfield’s case it was fair to assume that this service would contain some information about the vehicles matching the number plate search and what their location is.
Using a free tool like Fiddler and allowing it to act as an HTTP gateway for the iPhone, it’s easy to interpret and inspect the contents of communication between the app and the server it’s talking to. When I did this for the Westfield app, here’s what I found:
What we’re seeing here is a total of five requests made to Westfield’s server: The first one returns a JSON response which contains the data explaining the location of cars matching the search. The next four requests are for images which are pictures of the cars returned by the search. Here’s what we get:
Apart from the slight difference in aspect ratio, this is exactly what we saw in the original app so no surprises yet. But here’s where it gets really interesting – let’s examine that JSON response. Firstly, it’s a GET request to the following address:
http://120.151.59.193/v2/bays.json?visit.plate.text=abc123~0.3&is_occupied=true&limit=4&order=-similarityOne of the nice things about a RESTful service like this is the ability to easily pass parameters in the request. In the URL above, we can see four parameters:
- The number plate we’re searching for appended with “~0.3”
- An “is_occupied” value set to “true”
- A “limit” set to “4”
- An “order” set to “-similarity”
Now when we look at the response body, we see the following:
What this is telling us is that the JSON response contains four collections of data. Let’s expand that first one and see what’s inside:
This is a fair bit of data. Actually it’s a lot of data and it’s being sent down to your phone every time you try to locate a car. Remember, all the app needs to do is show us an image of what may be our car. But the really worrying bit is what’s inside the “visit” node; Westfield is storing and making publicly accessible the time of entry and the number plate (see the “text” field) of what appears to be every single vehicle in the centre. What’s more, it’s available as a nice little service easily consumable by anyone with the knowhow to build some basic software.
But this is only four results, right? Actually, it’s worse than that. A lot worse. That URL for the service endpoint we looked at earlier contains a number of parameters – filters, if you like – and removing these readily provides the current status of all 2,550 sensors. This includes the number plate of any car currently occupying a space and as you can see, it’s available by design to anyone:
http://120.151.59.193/v2/bays.json
You can freely request that resource over and over as many times as desired and then store the data to your heart’s content. Now that, is a privacy concern.
The impact to privacy
What this means is that anyone with some rudimentary programming knowledge can track the comings and goings of every single vehicle in one of the country’s busiest shopping centres. In an age where we’ve become surrounded by surveillance cameras we expect our movements to be monitored by the likes of centre management or security forces, but not on public display to anyone with an internet connection!
Think about the potential malicious uses if you’re able to write a simple bit of software:
- A stalker receives a notification when their victim enters the car park (and they’ll know exactly where the victim is parked).
- A suspicious husband tracks when his wife arrives and then leaves the car park.
- An aggrieved driver holding a grudge from a nearby road rage incident monitors for the arrival of the other party.
- A car thief with their eye on a particular vehicle could be notified once it is left unattended in the car park.
With Westfield standing up the service in the way they have, this becomes extremely easy. Furthermore, this is just one shopping centre out of dozens of Westfields across the country. If this practice continues, data mining the movements of individual vehicles across shopping centres will be a breeze for anyone with basic programming knowledge. And that’s really the crux of the problem in that this isn’t one of those “Oh no, the big corporation is tracking me” situations, it’s that anyone can track me.
Whilst I’m by no means a strong privacy advocate (I have a fairly open life on display through numerous channels on the web), something about this just doesn’t sit quite right with me. Certainly those people who are strong privacy advocates would object to such a public disclosure of information.
What needs to be done
Putting my “software architect / security hat” back on for a moment, the problem is simply that Westfield is exposing data this application has no need for. The best way to keep a secret is to never have it and this is where they’ve gone wrong.
The parking feature of the app is designed for only one purpose: taking a number plate from the user and returning four possible positions with grainy images of the vehicle. On this basis, every piece of data in the “visit” node in the image earlier on is totally unnecessary, as is the ability to pull back more than four records at a time and as is the ability to do it over and over again as fast as possible. All that is required is the image so that someone can visually verify it’s their car (the number plate need not be clear), and of course information on the location within the centre.
If they were to do this, the privacy risk is dramatically reduced as all you’re left with now as Joe Public is a small bunch of grainy images with indecipherable number plates. The positive feedback of the service explicitly returning the number plate (and degree of confidence in its integrity), is gone. Sure, there’s still a privacy risk in that I can manually open up the app and search for someone’s car then manually ID it, but the potential for automation is gone.
In fact most of the data returned in that service is totally unnecessary. Trimming it back would not only (largely) resolve the privacy problem, it would also reduce the size of the service hence speeding it up for the end user and reducing the bandwidth burden on Westfield. Win-win-win.
Summary
In the process of researching and writing this post I also identified other major vulnerabilities of a rather serious nature. I’ve done the right thing and attempted to notify Westfield of these and won’t publicly disclose them.
The information above, on the other hand, is already public knowledge in so far as people know there is a database containing their cars that is publicly accessible, they just probably don’t know how easy it is to get hold of. But of course by design, this information is intended to be consumed on demand, as frequently as possible and for any vehicle in the car park.
All in all, this just doesn’t seem to be very well thought out on behalf of the developers. In fact on that basis, if Park Assist is behind this and they’ve implemented the same system in other locations, the Bondi situation could just be the tip of the iceberg. In all likelihood, it’s not Westfield’s intent to expose this volume of information in such an easily consumable fashion and hopefully they’ll ask for the software to be revised once they’re aware of the full extent of the situation.
Update 1, 11:10 Sep 14: A couple of hours after posting this, a helpful reader contacted Park Assist directly and they responded promptly by pulling the service altogether (they appear to control the environment). Based on their response, it seems the API into the service should never have been publicly exposed and used by the iPhone app in this fashion. It also appears that in addition to the privacy risk, further security vulnerabilities were identified by other individuals. Whilst I won’t disclose these publicly, I did attempt to contact Westfield directly about the issue. As of now, I’m still to get a response from them.
Update 2, 12:00 Sep 14: I just had a good phone chat with the guy from from Park Assist who provided the response linked to in the previous update. In short, they’re handled this situation very efficiently and have responded with urgency and professionalism. We discussed some general security concepts including how the service could be properly secured for future use and it’s clear they understand precisely what needs to be done. It’s unfortunate for them that the software was configured in this fashion in the first place but certainly they’re doing everything right in their response.
32 comments:
wow - that's some good detective work Troy - and uncovering the ugly side of a useful app. Very sloppy work on behalf of the creators.
It's also all in plain http? No actual encryption?
The plain text isn't really the issue as the data shouldn't be there to begin with. Ultimately the only identifiable piece of information required is the grainy photo of the number plate - just enough to ascertain it's your vehicle. And even if the data was encrypted in transit, it's still easily consumable as it's in the clear once it arrives.
yeah - good point. When everything's public anyway - doesn't matter if it's encrypted.
Talking of terrible security, somebody - presumably a ParkAssist developer - has uploaded a significant chunk of source code to pastie that appears to be connected with this feature: from what I can tell, it powers some administration page for the sensors.
Check it out here: http://pastie.org/pastes/1789181
Excellent research Troy! I always park on the roof at Bondi Junc. hopefully that is a short term solution!
Nice work.
Did you contact Westfield or parkassist?
Wouldn't some kind of responsible disclosure have been better than putting this exploit out in the wild?
Responsible? Is that a joke?
Why the heck does this guy owe these people anything? They don't seem to care about being responsible and certainly they don't care about data privacy!
They can't design a system this privacy invasive and then get angry that someone showed the world about their disregard for privacy!
They're the ones that put this in the wild. Don't shoot the messenger.
I do not care about the developers but about the car owners.
These people do not have any reason to mistrust Westfield, yet they might be negatively affected by this exposure.
I think the primary goal should be getting this security hole fixed, not pointing out how incompetent a company is.
Oh, sorry, too much text :)
Nevertheless, what were the reasons for writing about the privacy vulnerabilty while it is still exploitable?
The reason is simply for awareness. Consumers reasonably expect to know the extent to which they're being monitored and how public that information is made and that isn't being made apparent to them. The point I'm making above is that the ability to monitor this is by design; this is how the application is intended to function. My point in the "What needs to be done" section is that I believe they can still achieve the same end result in a more efficient fashion that is more respectful of shoppers' privacy.
I sure hope there's authentication on the signs.json PUT update API, or Westfield's signs are probably about to go crazy. (i.e. people might be able to remote control the parking indicators)
Anyway, after locating the appropriate contact via the API (lol) I gave ParkAssist (Sydney) a call and advised them of this blog post.
http://120.151.59.193/v2/email-alerts
Thanks for reaching out to Park Assist, I was about to contact them in addition to Westfield given the attention this is receiving. Hopefully they can plug any actual vulnerabilities quickly and address the privacy issue in due course.
That's great, thanks for the feedback.
oh my god public information about my car parked in a public place
If they're using BASIC auth without SSL, then this is still fundamentally broken; the proxying approach will reveal the auth details, so the API is still exposed.
For this app, there need not be any auth - the data is meant to be publicly queryable. Of course how they secure the existing services to the non public apps, that's another question altogether and certainly I'd like to see TLS play a role there.
Who developed the app for Westfield? They should be named and shamed in my opinion, cutting corners like that is not acceptable.
Well thats the last time I go to Westfield Bondi...and I will be watching for these camera to appear in other centres, I will avoid them too.. Even if not publicly accessible I have concerns regarding the dossier Westfield now have based on my parking in their shopping centre.... Or how about this for a use: I want to steal from a house... so I watch for a day or 2 and get their number plate... then I periodically use my westfield app to see their shopping patterns (all from the comfort of my home)... now I can find a nice window to hit the house.. and while I'm doing it, I can keep checking they are there.. and not on their way home to surprise me....
Again, I'm happy not to shop there again.
It is not so much public information about your car parked in a public place, it is the enabling of criminal behavior that is the issue. If there was a guy in the car park taking notes of everyones numberplate and when they arrived and left, the mall security would intervene (either ask the person to leave or notify the police of suspicious behavior). This system allows them to do that same thing remotely without detection and over a long period of time without breaking the law as the information is available without the need for computer misuse.
Beyond the reasons that Tony mentioned a legally created database of when people in a geographic area with routines are away from their houses could be put to very bad use.
Hmm. I think the response from Park Assist and Westfield says as much about the two organisations as anything else. PA ackowledge with almost brutal honesty their mea culpa, Westfield hide behind 'well we weren't strictly breaking the Privacy Act so run along now, it's not as bad as all that'. Obviously written after consulting their legal department.
As Troy said there absolutely is a world of difference between trawling manually a car park for a car, and being able to poll an active data list of what's in there. I shudder to think what else he's sitting on and hasn't disclosed to us. Lets hope Westfield take on board the other stuff he's found too.
IMO handled well and quickly by PA, not by Westfield.
whoops, looks like all the line breaks got dropped. My apologies.
Troy, I would like to take you up on the offer to provide testing support. We are keen to recitfy and reintroduce the service and we would value your counsel. How do we make this happen?
I say im all for it. Let's have more nonsense like this and we can all run fake plates on our cars.
They can't stop us all.
Motorcycles and semi trucks get away with things passenger vehicles cannot because of the raw numbers and inability to enforce the rules.
Keep it up, it'll save me from having to pay the state to have a piece of metal on my car.
Did anyone think that there is probably no phone service in the car parks? hence you wont be able to use the app?
Want to
sell your iphone and get a new one? Visit Sell
iPhones to sell your phones and iPods for cash! High Payout, Free
shipping to send your phones, Quick Payments.
The data is captured and used by ParkAssist, not Westfield (which pays PA a lot of money to provide the service). The longer term game for Park Assist is to do analysis on the data how often you visit, how long you stay, map yhour car to you and see where you go; match your number plate to other databases (Packers Axiom for example) and now they know who you are .............) and make more money by selling this information. :)
The reality is PA and certainly Westfield couldnt care less if you find your car or not. The longer you live in the carpark the more the you pay. This system is ultimately designed to match your plate top your id and then track your shopping. (ie until facial recognition gets as sexy as NCIS pretends it is, PA will use your plates to get some indication of who you are, provide this to Westfield who (for a small fee) will then be able to tell vendors all about you)
"probably no phone service" would logically lead to "possibly not able to use the app". Or better, sometimes not available means sometimes IS available. So still an issue
If you had phoned Westfield and spoken to someone in Head Office in the first place when you discovered the problem, you probably could have saved some time writing the article.
If you go to Bondi carpark there is a very suspiecious looking 'PARKASSIST' WPA ssid being used. Watching for a while it looked like the parking station was at least running partly on wireless. There may be vulnerabilities if you go looking.
I know. Really.
With this app one can easily find the place to park their car and even after parking, they can find where they park their car.
Post a Comment