So the underlying server is getting hammered with traffic right now, but this really illustrates why you should always be encrypting this kind of thing.
Because not only did the developers of the app expose public data, they also managed to post their own source code online by using Pastie (check it out here: http://pastie.org/pastes/1789181), and exposed their entire web service documentation here: http://120.151.59.193/v2/help (although it will probably be down by now).
1. The API should never have been made accessible publicly. The regular authentication that protects API access was incorrectly disabled. We have corrected the configuration and the services are now protected again.
2. The code snippet should never been placed on pastie. We were sloppy in that regard.
While the information in the API is mostly used to get counts of how many spaces in the car park are currently occupied (which you can find out by going to the site and reading the digital signage), any unauthorized access to the data is an unacceptable breach.
We acknowledge that these mistakes should never have occurred and we will need to take a hard look into our security procedures to ensure this does not happen again.
If anyone would like to discuss this issue further, we welcome your comments and advice.
"My name is John Batistich and I am the General Manager Marketing for Westfield. Firstly, thanks Troy for bringing this issue to our attention. Our intention was to create a free service for our customers so they never lose their car again! However, we have more work to do. Our partner, Park Assist, who provide the camera technology to capture the number plate today advised there was an issue with the authentication of their data feed to the iPhone which resulted in number plate data being publicly assessable via the internet. This issue has been addressed immediately by Park Assist and the Find My Car functionality will not be available for approximately one week until the app has been modified to ensure that data cannot be publicly assessable online. Further, the ‘Find my Car’ functionality on our app is similar to other location-based services and has been developed to provide a service to the average shopper, in an effort to make it easier to find their car. In terms of privacy, the application does not contravene the Privacy Act in so far as numbers plates are not “personal information”, and are therefore not subject to that act. Having said that, the application theoretically could be used for purposes other than its original intention, however it does not facilitate any activity that couldn’t already happen otherwise. For example, a member of the general public may try to use the application to find a car that is not theirs. On the other hand, at the request of police, the application might also be used to assist in their enquiries into a given situation however, Westfield would not expect either of these situations to be typical.We appreciate you bringing this issue to our attention and we are now working on an update to resolve the technical issue. "
I was looking over the pastie code (reading is learning :) and noticed they are using Raphael.js for drawing a tooltip polygon. Perhaps I'll add "play with Raphael" to my TODO list. Anyone else using this toolkit for production drawing?
I googled for the "v2/bays.json" string, thinking I might find a few more carparks using the system, but instead found that! So not exactly rocket science.
It's more than than just a single snapshot in time though. They are keeping a record of every car's coming and going every day. It wouldn't be difficult to poll a service like that to gather the information yourself for weeks or months worth of data.
Certainly you could drive around a parking lot everyday and get that information but that isn't very likely. It's that aspect of the service that is most troubling.
There's no need for encryption of anything. Send the service a number plate, it returns you an image, tick if that's you're car, and it'll tell you where it is. If it's not it goes to the next one in the list. The issue here, is that the server team haven't tailored the API for the app. They've just dumped everything out to the app via a queryable url string, and let all the logic in there.
/api/v3/plate_search?plate=ABC123 and it can return you the closest match. Search it again from the same phone, get the second mate(track the cookie). It's not that hard, it just takes some thought, and the Westfield, and the vendor have tried to cut corners.
How can Westfield secure this? Whichever method they choose, they have to ship the key with the app, won't they? And then someone can just reverse engineer it out, and we're back at the same place.
Well, to start with they could lock the API down correctly so you had to supply a number plate to get 2-3 likely matches. And fuzz the photos they send a bit more so it is legible enough to identify your car, but not to read the license plate itself. And remove superfluous data from the IP results, like time of entry.
As compared to the current system where you can immediately get a list of every car in the carpark, with its location, entry time, and photos where the license plates are discernable.
And they could institute per-IP throttling of requests (no more than 5 an hour or something) to stop someone brute-forcing number plate combinations to get a "map" of the centre.
Finally they could have locked out the admin interface so that random members of the public couldn't do other things as well. ;)
But you're right in general - even implemented correctly, this feature has an interesting privacy implication - at any given time, anyone with a license plate number and a vague description of the vehicle can check if that car is parked at a Westfield, and where it is parked.
Some people have talked about "crypto" and I can see lot of ways you could add some level of encryption or auth to make things slightly more obfuscated (perhaps require pre-registration of your car), but I can't see a any way that would change the fundamentals.
The app is essentially designed to let people look up car locations by license plate numbers, and as long as it does that it seems to me there will be some level of privacy issue.
This is just sad. I'm sure someone was using the extra information for debugging purposes at one point and never thought to remove it from the json interface.
I expect a Westfield developer thought they were being very clever. "Oh look, ParkAssist already has a full API! I'll just put it on a public API and I don't have to do any backend development at all."
That is amazing. How are people this short-sighted and reckless with people's data? It's so frustrating.
I just told my family that no vehicles are to be parked at a Westfield parking garage until further notice. I'm used to them rolling their eyes at me over data security issues, but I gave them the link to this one and their jaws dropped.
While I share your concern that this is poor protection of privacy, are you really sufficiently concerned that someone is desperately interested in the location of your car to bother to put yourself to any inconvenience?
I always laugh at people who back into spots in large parking lots (although in close-quarters it sometimes makes sense to), but now I realize that it could be a security measure (particularly in states without front plates), with or without this park assist.
So there's a camera at every spot? Seems like overkill when a simple sensor (IR/magnetic) would have gotten pretty much the same information. Instead of letting a camera guess your tag, just number each spot and send the number of the spot to the phone once you park.
So then you actively need to do something on your phone when you park?
Additionally, this tech is better for the car park owners because they can (are?) using the same technology to check for cars parked too long in a spot. For that you need the number plate.
Because not only did the developers of the app expose public data, they also managed to post their own source code online by using Pastie (check it out here: http://pastie.org/pastes/1789181), and exposed their entire web service documentation here: http://120.151.59.193/v2/help (although it will probably be down by now).