"Find My Car" App: Security Fail
Finding your car in a crowded shopping mall parking lot can be a problem. So Westfield Malls rolled out an app that allows you to enter in your license plate number to find the security camera pointing at your car, and therefore the car's location. Sounds good? Well, it's chock full of security holes. Researcher Troy Hunt noticed, for example, that the lack of authentication means that anyone can enter any license plate number and learn the location of any car.
The cameras in the parking garage are useful: they can inform customers of available parking spaces. But so can electronics to indicate whether a car is there or not. In this case, the cameras attempt to read the license plate numbers. Hunt found that the cameras weren't too good at that--his example image inaccurately reported the car's actual license plate number.
Soon after the blog appeared, the companies responsible talked with Hunt and he updated his blog to indicate that they were professional and seemed to be addressing the security concerns he raised. But the situation is typical: just because you can do something in an app doesn't mean you should (or will do it securely).
Presently, the service works by reading the license plate numbers. However, Tony Hunt, a researcher who first blogged about this, offers an alternative. He suggests the system return four grainy images at a time and allow the customer to scroll through them until they find their car. He argues that it would have fewer privacy concerns. You certainly couldn't automate the process.