Easy, barriers with smart cameras that open automatically when you leave a car park. “But it turns out to be a disaster for our privacy,” says Inti De Ceukelaire, an ethical hacker. That’s someone who tries to find leaks in security systems with good intentions.
De Ceukelaire conducted a 100-day experiment in which he tried to track 120 cars. With the owners’ permission, admittedly, and that proved not too difficult. 29 per cent of the cars, just over 1 in 4 that is, turned out to be easy to find based on … the parking spot.
VRT face Linde Merckpoel volunteered for the test and was surprised when De Ceukelaire suddenly “caught” her during a girlfriends’ weekend.
“I parked underground in Brussels for a while, as I was there on a weekend. The barrier opened automatically at first and I didn’t get a ticket. Annoying, because I was worried I wouldn’t be able to exit. Those worries turned out to be unnecessary, as the barriers also opened automatically when I left the car park and I hadn’t even paid yet. So it turned out that Inti knew where I was and had immediately paid for me. Convenient and creepy at the same time”.
**Smart cameras in garages**
De Ceukelaire found two ways to track people and their vehicles. A first test was with the parking app of Indigo, known for its underground car parks. De Ceukelaire created a professional account in the app and entered all 120 number plates, including Linde Merckpoel’s. If one of the cars entered a car park or car park, De Ceukelaire knew immediately. Because the app is connected to the number plate recognition camera hanging on the driveway. This is also how it went at Linde.
“There is no check whether the number plate entered also belongs to the app user. This makes it possible to intercept parking sessions of a vehicle thus using a garage or car park. Whether the drivers themselves use parking apps is irrelevant.”
“The only obstacle is that the person intercepting the parking session must also effectively pay for it, but at an average of €8.25 per successfully tracked vehicle, it is dozens of times cheaper than, say, a private investigator,” says De Ceukelaire.
**4411**
But it did not stop there. Those who thought they could be more anonymous by avoiding parking garages with cameras and parking on the street were also in for a treat. De Ceukelaire also developed a computer programme to detect whether the cars he tracked were using free parking sessions. In some cities, for example, you can park for free for 15 minutes. This also allowed him to find the cars he was looking for.
“My computer programme ‘talked’ to thousands of digital parking meters at the end of each day asking if there was still free parking time available for the tracked cars. If my system failed to create a one-second free parking session for that number plate in one of the free zones, I knew with certainty that the vehicle had parked in that zone that same day.” Currently, this “trick” only works in locations where 4411 offers free parking, such as in Aalst, Antwerp, Beveren, Charleroi, De Panne, Ghent, Hasselt, Tournai, Turnhout.
**Security**
According to De Ceukelaire, it is a breeze for people with bad intentions, who know a bit about technology, to find out where you are. “If you are away from home, they can break in. If you are spotted with a car full of belongings or suitcases, robbers can come looking for you when you park somewhere.”
“Besides, it is not difficult to get someone’s number plate. Many people enjoy showing their expensive cars on social media and often don’t make their number plate unrecognisable. But even for those who look around a bit on the street, it is not difficult to link people to their vehicle.”
“Recently, I was in another dark car park. And I didn’t feel so safe. Immediately I was reminded of the experiment with my number plate again. As a woman, you really don’t want it to be that easy to track someone.”
**Where you park says what you are doing**
“Parking sessions reveal an invaluable source of information about drivers: based on parking time, location and time, you can deduce what the person is doing there. For example, during the study, individuals were located near office spaces, shopping malls, concert halls, sports complexes, casinos and hospitals. The more snapshots the system can intercept, the greater the chance of finding out who the driver is,” De Ceukelaire adds.
What makes number plate recognition in car parks interesting for people with bad intentions is that a car usually stays in the same location for a while. This gives them time to make their way to the vehicle and possibly wait for the driver. An expensive car or a car full of belongings may then be easy to track down. But it also puts people who have to go into hiding from family or even war violence at risk.
**European problem, Belgium leads the way**
Other Western European countries face the same privacy problem, although Belgium counts with the highest density: 2.55 smart parking spaces per km2, accounting for 78,000 spaces in total. “Sweden and France are record holders in Europe with 220,000 smart parking spots, but the surface area of those countries is much larger so the “track probability” is smaller than in Belgium,” it sounds.
De Ceukelaire advocates a European-level approach. “During the investigation, we managed to locate a Belgian number plate more than 1,000 km away from the Spanish border. Most parking companies operate in several countries and should therefore be encouraged at European level to step up their privacy measures. The problem will only get worse in the future, as sustainable mobility plans divert more and more cars to off-street parking. Moreover, the same technology is already being applied to toll roads in England and Ireland, so even those who always park privately can be located.”
Translated with DeepL
No shit. This is the case for so many things. Why do you need a phone number and an email address and an account to park your car? All you should need is your car and some money. The same goes for all the stores that have a client card associated with email addresses etc… None of these databases are made secure enough to handle this amount of personal information.
The method described in the article is even utterly simple, it does not involve any hacking at all, it is actually just using the system. The fact that someone can use your numberplate to pay for your parking seems innocuous at first, and ‘who would be that stupid’ to pay for my parking? But ulterior motives exist, and the more data you share, the more that data can be used against you.
I wouldn’t have a problem with someone tracking my underground parking at the cost of parking for free!
I might be a bit biased, because the company I work for, implemented a similar concept for a famous parking garage brand. They are not named in the article and I have no knowledge if they handle it better or worse.
But I have not worked in that team so anything I say is still my own opinion, although it might not be completely objective.
I 100% agree some kind of verification is needed, but what is the practical implementation of this?
Link car registrations to a person and force people to verify with their ID or Itsme? (most company cars aren’t registered to the person driving it, so good luck with that)
Send a picture of your car registration to the app? (those are the same people who didn’t think to implement any security measures to start with, I’m sure they will handle such an important document safely and gdpr compliant).
Send a picture of yourself holding today’s newspaper next to your license plate? (it works for NSFW reddit validation, so that must be bullet proof)
Limit the usage of a license plate to 1 account might be a semi decent solution that solved the issue for everybody who uses the app. But my parents would never install an app, so they are still vulnerable. + the pattern of number plates are quite predictable, so what stops me from registering all new ones with an automated script? It’s only 8 euro on average, that’s like a long shower.
I agree that on average paying 8 euro per session is a lot cheaper than hiring an investigator, but if out of the blue my parking tickets would get paid, wouldn’t that raise suspicion anyway? Linde didn’t care and I don’t think the average Belgian is more honest. But the above average Belgian with a couple brain cells should start asking some questions. But those probably are also not the people who post their number plate on Instagram.
The same with scoping out a fancy car. Yes, you know it’s parked somewhere. But isn’t that still a lot more labor intensive than just go to a parking garage near a fancy store or venue, peak through the window and have a go at it if you see something valuable inside? Why make the effort, hurry up to the place where the car might not even be any more and then arrive there to an empty car? I know thieves are very creative, but they are also lazy, and this does not look like the easiest way to handle theft.
And then there is the case of stalking, terrorism, … If we are really worried about that, no matter what safety measures i suggested earlier will never get rid of that completely. So then the only real solution then becomes to ban this feature completely! So let’s go back to having parking tickets that you can only pay with cash. Paying by cards is also traceable 🙂
I really want to understand the gravitas of the issue, but this seems like a very big article for a very limited issue. A hacker can investigate this and help look for better solutions than the ones I could come up with in the 5 seconds I thought about it. But now we make an article about it and make people afraid. Now my mother will never use the app, but she will still be vulnerable to the 4411 hacks described in the article. It all seems like the issue about contactless payment fraud. In theory it’s an open door to your money, but in practice I have heard almost no real applications of it. And the cases I heard about, just got solved by the bank without much effort.
This Inti guy is hardly a script kiddie. Hacker… gtfo lol
Is this actually still considered white-hat hacking? His intentions seem pure (even though Inti’s known to be somewhat of an attention whore) but to be considered white-hat, I thought you needed to have permission of the company you’re investigating. Also, as far as I remember from my Hacking course at school, a true white-hat hacker would first notify the companies, give them a deadline to fix their issues, and only then publish the results. I’m sure that would’ve achieved more than creating this website for people to act on their GDPR rights… though it would not have resulted in the same amount of traction.
Privacy databases should be handled by public sector and not private compagnies.
7 comments
Easy, barriers with smart cameras that open automatically when you leave a car park. “But it turns out to be a disaster for our privacy,” says Inti De Ceukelaire, an ethical hacker. That’s someone who tries to find leaks in security systems with good intentions.
De Ceukelaire conducted a 100-day experiment in which he tried to track 120 cars. With the owners’ permission, admittedly, and that proved not too difficult. 29 per cent of the cars, just over 1 in 4 that is, turned out to be easy to find based on … the parking spot.
VRT face Linde Merckpoel volunteered for the test and was surprised when De Ceukelaire suddenly “caught” her during a girlfriends’ weekend.
“I parked underground in Brussels for a while, as I was there on a weekend. The barrier opened automatically at first and I didn’t get a ticket. Annoying, because I was worried I wouldn’t be able to exit. Those worries turned out to be unnecessary, as the barriers also opened automatically when I left the car park and I hadn’t even paid yet. So it turned out that Inti knew where I was and had immediately paid for me. Convenient and creepy at the same time”.
**Smart cameras in garages**
De Ceukelaire found two ways to track people and their vehicles. A first test was with the parking app of Indigo, known for its underground car parks. De Ceukelaire created a professional account in the app and entered all 120 number plates, including Linde Merckpoel’s. If one of the cars entered a car park or car park, De Ceukelaire knew immediately. Because the app is connected to the number plate recognition camera hanging on the driveway. This is also how it went at Linde.
“There is no check whether the number plate entered also belongs to the app user. This makes it possible to intercept parking sessions of a vehicle thus using a garage or car park. Whether the drivers themselves use parking apps is irrelevant.”
“The only obstacle is that the person intercepting the parking session must also effectively pay for it, but at an average of €8.25 per successfully tracked vehicle, it is dozens of times cheaper than, say, a private investigator,” says De Ceukelaire.
**4411**
But it did not stop there. Those who thought they could be more anonymous by avoiding parking garages with cameras and parking on the street were also in for a treat. De Ceukelaire also developed a computer programme to detect whether the cars he tracked were using free parking sessions. In some cities, for example, you can park for free for 15 minutes. This also allowed him to find the cars he was looking for.
“My computer programme ‘talked’ to thousands of digital parking meters at the end of each day asking if there was still free parking time available for the tracked cars. If my system failed to create a one-second free parking session for that number plate in one of the free zones, I knew with certainty that the vehicle had parked in that zone that same day.” Currently, this “trick” only works in locations where 4411 offers free parking, such as in Aalst, Antwerp, Beveren, Charleroi, De Panne, Ghent, Hasselt, Tournai, Turnhout.
**Security**
According to De Ceukelaire, it is a breeze for people with bad intentions, who know a bit about technology, to find out where you are. “If you are away from home, they can break in. If you are spotted with a car full of belongings or suitcases, robbers can come looking for you when you park somewhere.”
“Besides, it is not difficult to get someone’s number plate. Many people enjoy showing their expensive cars on social media and often don’t make their number plate unrecognisable. But even for those who look around a bit on the street, it is not difficult to link people to their vehicle.”
“Recently, I was in another dark car park. And I didn’t feel so safe. Immediately I was reminded of the experiment with my number plate again. As a woman, you really don’t want it to be that easy to track someone.”
**Where you park says what you are doing**
“Parking sessions reveal an invaluable source of information about drivers: based on parking time, location and time, you can deduce what the person is doing there. For example, during the study, individuals were located near office spaces, shopping malls, concert halls, sports complexes, casinos and hospitals. The more snapshots the system can intercept, the greater the chance of finding out who the driver is,” De Ceukelaire adds.
What makes number plate recognition in car parks interesting for people with bad intentions is that a car usually stays in the same location for a while. This gives them time to make their way to the vehicle and possibly wait for the driver. An expensive car or a car full of belongings may then be easy to track down. But it also puts people who have to go into hiding from family or even war violence at risk.
**European problem, Belgium leads the way**
Other Western European countries face the same privacy problem, although Belgium counts with the highest density: 2.55 smart parking spaces per km2, accounting for 78,000 spaces in total. “Sweden and France are record holders in Europe with 220,000 smart parking spots, but the surface area of those countries is much larger so the “track probability” is smaller than in Belgium,” it sounds.
De Ceukelaire advocates a European-level approach. “During the investigation, we managed to locate a Belgian number plate more than 1,000 km away from the Spanish border. Most parking companies operate in several countries and should therefore be encouraged at European level to step up their privacy measures. The problem will only get worse in the future, as sustainable mobility plans divert more and more cars to off-street parking. Moreover, the same technology is already being applied to toll roads in England and Ireland, so even those who always park privately can be located.”
Translated with DeepL
No shit. This is the case for so many things. Why do you need a phone number and an email address and an account to park your car? All you should need is your car and some money. The same goes for all the stores that have a client card associated with email addresses etc… None of these databases are made secure enough to handle this amount of personal information.
The method described in the article is even utterly simple, it does not involve any hacking at all, it is actually just using the system. The fact that someone can use your numberplate to pay for your parking seems innocuous at first, and ‘who would be that stupid’ to pay for my parking? But ulterior motives exist, and the more data you share, the more that data can be used against you.
I wouldn’t have a problem with someone tracking my underground parking at the cost of parking for free!
I might be a bit biased, because the company I work for, implemented a similar concept for a famous parking garage brand. They are not named in the article and I have no knowledge if they handle it better or worse.
But I have not worked in that team so anything I say is still my own opinion, although it might not be completely objective.
I 100% agree some kind of verification is needed, but what is the practical implementation of this?
Link car registrations to a person and force people to verify with their ID or Itsme? (most company cars aren’t registered to the person driving it, so good luck with that)
Send a picture of your car registration to the app? (those are the same people who didn’t think to implement any security measures to start with, I’m sure they will handle such an important document safely and gdpr compliant).
Send a picture of yourself holding today’s newspaper next to your license plate? (it works for NSFW reddit validation, so that must be bullet proof)
Limit the usage of a license plate to 1 account might be a semi decent solution that solved the issue for everybody who uses the app. But my parents would never install an app, so they are still vulnerable. + the pattern of number plates are quite predictable, so what stops me from registering all new ones with an automated script? It’s only 8 euro on average, that’s like a long shower.
I agree that on average paying 8 euro per session is a lot cheaper than hiring an investigator, but if out of the blue my parking tickets would get paid, wouldn’t that raise suspicion anyway? Linde didn’t care and I don’t think the average Belgian is more honest. But the above average Belgian with a couple brain cells should start asking some questions. But those probably are also not the people who post their number plate on Instagram.
The same with scoping out a fancy car. Yes, you know it’s parked somewhere. But isn’t that still a lot more labor intensive than just go to a parking garage near a fancy store or venue, peak through the window and have a go at it if you see something valuable inside? Why make the effort, hurry up to the place where the car might not even be any more and then arrive there to an empty car? I know thieves are very creative, but they are also lazy, and this does not look like the easiest way to handle theft.
And then there is the case of stalking, terrorism, … If we are really worried about that, no matter what safety measures i suggested earlier will never get rid of that completely. So then the only real solution then becomes to ban this feature completely! So let’s go back to having parking tickets that you can only pay with cash. Paying by cards is also traceable 🙂
I really want to understand the gravitas of the issue, but this seems like a very big article for a very limited issue. A hacker can investigate this and help look for better solutions than the ones I could come up with in the 5 seconds I thought about it. But now we make an article about it and make people afraid. Now my mother will never use the app, but she will still be vulnerable to the 4411 hacks described in the article. It all seems like the issue about contactless payment fraud. In theory it’s an open door to your money, but in practice I have heard almost no real applications of it. And the cases I heard about, just got solved by the bank without much effort.
This Inti guy is hardly a script kiddie. Hacker… gtfo lol
Is this actually still considered white-hat hacking? His intentions seem pure (even though Inti’s known to be somewhat of an attention whore) but to be considered white-hat, I thought you needed to have permission of the company you’re investigating. Also, as far as I remember from my Hacking course at school, a true white-hat hacker would first notify the companies, give them a deadline to fix their issues, and only then publish the results. I’m sure that would’ve achieved more than creating this website for people to act on their GDPR rights… though it would not have resulted in the same amount of traction.
Privacy databases should be handled by public sector and not private compagnies.