A hacker has discovered a way to track the location of license plates through parking applications. Inti de Ceukelaire discovered that he could add license plates of others to those apps. He made a tool that sends instant notifications when the license plate has been scanned by a camera.
Over the past few weeks, Inti de Ceukelaire has contacted the help of 120 volunteers who have agreed to have their license plate tracked. He managed to find the location of almost a third of them. This has been achieved with parking applications such as the 4411 and Indigo Neo, which are especially popular in Flanders and Wallonia. 4411 also operates in the Netherlands. In these applications, it is possible to make automatic payments based on a license plate. Users enter their license plate number and associate their bank account number with it. He writes that if they drive the car into a garage with number plate recognition, they will pay automatically On the project website.
De Ceukelaire saw that these apps do not check if a license plate is owned by someone. This makes it possible to enter any license plate number in the applications. If the car owner then stops, they can see that reflected in the app. De Ceukelaire says he was able to track the locations of 26.5% of participants within 100 days. This was possible in the Netherlands and Belgium with parking apps in EasyPark, Q-Park, Indigo Neo, Interparking and APCOA.
In this case, the attacker blocks the victim’s name and registration number. This means that it also pays for a parking session. De Ceukelaire says he spent a total of €273.85 on parking tickets. The average cost of an attack is 7.82 euros.
De Ceukelaire also discovered a second way to intercept parking sessions on public roads. This happened in the parking spaces along the road where motorists are allowed to park for free for a limited time based on their license plate. This is not passed through ANPR cameras, but by the driver himself via the parking meter along the street. This can often be once or a limited number of times a day. De Ceukelaire built a tool that attempted to register a specific license plate at a location using the Parking 4411 one-time free parking app. If this session has already started on that day, an error message will appear. Based on this, the hacker can retroactively discover where someone is standing.
According to De Ceukelaire, there are more than 4,000 locations in Western Europe where a license plate can be searched. Ethical hacker where Tuckers earlier this year interviewParking apps, according to the parking apps, “reveal an invaluable source of information about drivers.” He writes: “Based on how long the car has been parked, location, and time, you can infer what the person will do there.” “During the investigation, for example, people were present near offices, shopping centers, concert halls, sports complexes, casinos and hospitals. The more footage the system can intercept, the greater the chance of knowing the driver.”