A dataset thought to belong to UK law enforcement agencies left information on millions of vehicles accessible to the public, the Cybernews research team has discovered. Threat actors could use this information to track commuters or destroy evidence.
Researchers spotted the dataset during a routine, open-source intelligence (OSINT) based check-up when they came across 24GB of data from Automatic Number Plate Recognition (ANPR) cameras from around the United Kingdom.
The dataset contained a whopping 17 million entries, including registered vehicle speed and the speed limit in the area, speed camera locations, license plates of detected vehicles, and their movement direction in relation to the camera.
The accessible database even contained links to images captured by the cameras, whether they matched any blacklists, and if they set off any alerts. However, images captured by the cameras were hosted on a different instance, with proper authorisation restrictions.
Who owns the data?
The team discovered the data sitting on an open Elasticsearch instance. This is a popular search engine favored by enterprises dealing with large, constantly updated volumes of data. The accessible database was hosted on an AWS cloud.
While it was not possible to deduce the owner of the database, the type of data stored – vehicle speeds and mainly UK license plates – strongly suggests it belongs to a law enforcement agency or council in the United Kingdom.
Even though the UK does not have a single law enforcement body, due to differing legal systems between England, Wales, Scotland and Northern Ireland, the ANPR system is used nationally, and such camera networks employed by government agencies in the UK form the National ANPR Service (NAS).
"ANPR provides lines of inquiry and evidence in the investigation of crime and is used by forces throughout England, Wales, Scotland and Northern Ireland," the website for policing in the UK states.
The system collects data on every vehicle that passes by an ANPR camera and checks it against database records of suspect vehicles. Among other things, the cameras used by NAS can measure the average speed of a passing vehicle. The system is designed to allow authorities to “intercept and stop a vehicle, check it for evidence and, where necessary, make arrests.”
Since the database is updated in real-time, deployment of a Kibana interface for this Elasticsearch instance could easily be used to track individuals and their whereabouts,Vincentas Baubonis, a researcher at Cybernews said.
There are several ways a threat actor could abuse the open dataset. According to Vincentas Baubonis, a researcher at Cybernews, threat actors with the right tools could use the ANPR data to track the movement of unsuspecting commuters.
“Since the database is updated in real-time, deployment of a Kibana interface for this Elasticsearch instance could easily be used to track individuals and their whereabouts. The actual distance of tracking depends on the locations of cameras that are pushing new entries to this database,” Baubonis said.
Moreover, because of the accessible camera locations, offenders could leverage the data to plan a route avoiding ANPR cameras altogether.
An open database is also vulnerable to threat actors who want to edit its contents, and Baubonis thinks that malicious actors could potentially offer evidence-planting services on the dark web with some additional engineering.
“If, however, one would obtain access to the servers which store the actual camera footage, they could provide such service on the premise that they also control the coupled Elasticsearch instance,” Baubonis said.
A massive problem
The discovery of 17 million entries is significant for its volume alone. By comparison, the British authorities estimate there are over 38 million licensed vehicles in the UK. Even if one car produced ten entries in the dataset, that would mean a motivated threat actor could, in theory, track 1.7 million vehicles – or 4.5% of the UK's total car pool.
According to the researchers, at the time of discovery, the dataset was updated with nearly 500 entries each minute, or up to 720,000 entries every 24 hours.
Since the UK police claim ANPR cameras submit 60 million entries daily, the accessible database represents 1.2% of total daily input – not an insignificant amount for a nation of 67 million people.
According to the British government, tailor-made regulations apply for storing and using data collected using the ANPR system. Officers are obliged to follow specific guidelines on who can access the data and when.
"Staff only have access if it's relevant to their role,” the UK police say. “Most of those who have permission may only do so for a maximum of 90 days from the date it was collected. For serious, major, or counter-terrorism investigations, some staff may be given access for up to one year, subject to authorisation of a senior officer.”
The research team informed the authorities about the accessible dataset, disclosing the issue to the UK’s Department for Transport and the National Cyber Security Centre (NCSC), after which public access was revoked.
More from Cybernews:
Subscribe to our newsletter