Your vehicle can likely be tracked by anyone who knows your license plate number thanks to major privacy issues in parking apps, a hacker has revealed.
Cybersecurity expert Inti De Ceukelaire on Sunday released the results of a more than three-month-long study detailing how data from parking apps, even if you don’t use them, can be utilized to keep tabs on your vehicle’s location.
In a press release on his findings, De Ceukelaire stated that 120 vehicle owners in Europe agreed to participate in the experiment over a 100-day period. Using three different methods, De Ceukelaire was able to pinpoint the live location of over 29 percent of the vehicles.
De Ceukelaire was able to track numerous vehicles with the first method by registering their license plates in parking apps, which do not require users to prove their identity. From there, the hacker simply enabled the app’s license plate recognition (ANPR) feature, which sends an alert anytime a target vehicle enters an ANPR-enabled parking lot.
De Ceukelaire says the method costs roughly €8.56 on average each time a target vehicle is located and could be easily abused by stalkers or criminals.
The second method presented by De Ceukelaire, however, is entirely free. After building a tool aptly named “Platescan,” the hacker was able to connect to thousands of digital parking meters in areas that offer free limited parking.
Platescan can then initiate a one-second parking session using a target’s license plate number. Given that such parking areas only offer one free parking spot to a vehicle per day, an error message indicating that the vehicle had already used up its free parking privileges would prove that it had been at that location.
Although De Ceukelaire has declined to release Platescan to the public, the hacker warns that his methods could easily be reproduced by those with nefarious intent.
“We have identified more than a million trackable parking spots across Europe, and expect the number to ramp up quickly in the months and years to come,” he said. “With ANPR-based payment also finding its way to toll roads such as Ireland’s M50 and England’s M6, free movement will become increasingly harder without the risk of being tracked.”
De Ceukelaire has since called on Europe “to enforce privacy regulations on parking operators and ensure users can opt-out of their license plates being processed.”
The third and final method, which is also free, takes advantage of vendors that allow users to view their current parking sessions as well as receipts. An attacker would only need to know a target’s phone number and license plate number to access such information.
Yet instead of waiting for legislators to act, De Ceukelaire has enlisted a team of privacy lawyers to create a website where citizens in the European Union (EU) can utilize the privacy laws under the General Data Protection Regulation (GDPR) against such surveillance.
The website, notmyplate.com, allows those in the EU to fill out a simple form to auto-generate a GDPR request to restrict the processing of their vehicle’s data.
“While we cannot ensure that parking operators will comply with these requests, we are confident that it will send a strong message to parking operators that society is in need of privacy-first parking solutions,” the hacker added. “One precaution they could implement is to ensure that license plates cannot be re-registered into the system without approval of the original owner.”