tl;dr 🔗

While Norway's version of the Social Security number (SSN) isn't considered sensitive personal information, it can still be used for ID theft and is sometimes treated as an authenticator and not only used for identification. Knowing (or systematically picking) a car's number plate you can get quite a bit of personal information about the owners. Also, services hosted alongside the one in question seem to have dubious security.

Summary 🔗

Background 🔗

The way to get the name (typically to look up the phone number to make contact) of a car owner in Norway has typically been to just send an SMS that costs some cents. A friend and former colleague told me about the insurance company Tryg's app Trygg på reise (Safe travel) where you can look up this information for free (plus Google broke their SMS app Hangouts making it impossible to send SMSes to 4 digit phone numbers). I had used it for quite a long time when one day I was curious about where it got its data from, if it maybe was possible to create some services on top of that data.

Approach (technical stuff) 🔗

HTTP proxy 🔗

If you want to intercept traffic between a server and a mobile app (even SSL), the HTTP proxy Charles (and Android 6 or below for SSL) is the the way to go. It's very easy to use and gives a very good overview of the data going back and forth. And it let's you easily copy the HTTP requests as Curl commands.

Within a couple of minutes you have a pretty decent control of the HTTP calls for that app.

Web Service endpoint 🔗

The first surprise I got was that the app and server actually use the procotol SOAP which is just terrible to work with. (I suspect people having to use, develop and debug SOAP services live in a fog of

#FML.)

The second surprise was that the web service actually sent back much more info than what it display in the user interface in the app, and not only the municipality that you also get with the amentioned SMS service. I've summarized all the details further down after all the technical details here. But seeing both the owner and co-owner's SSNs and addresses surprised me the most.

I noticed that the web service call always included the username and password instead of the returned session id. No biggie, but a bit strange. The strings for usernames and password were all upper case and only 6-7 characters long. The password was almost the same as the username and all of them containing the name of the customer and the abbreviation of the service name. I hope that isn't the standard, that it gives me a clue on how the logins for the other services are.

Security issue? 🔗

The data returned is returned as intended, so there's so information leak in itself. The web service works as it should. However, it's more questionable if it's okay that a service like to be facing a public client.

The data returned from the service is as follows:

• The owner's first, middle and last name (alt. company name)
• The owner's full address
• The owner's Social Security number (org.no. if company)
• The owner's birthday (as it's part of the SSN in Norway)
• Any co-owner's first, middle and last name
• Any co-owner's full address
• Any co-owner's Social Security number
• The co-owner's birthday (as it's part of the SSN in Norway)
• A lot of technical data about the vehicle
• The insurance company and date of the vehicle insurance
• The insurance company and dates of the previous vehicle insurance
• The name of the previous owner
• Info if and when the vehicle was stolen

Is this okay? All the app does is show the name of the owner and details about the vehicle itself.

Apparently the name of the co-owner and previous owner is public information according to the law called Offentlighetsloven (Freedom of information act) (Norwegian link only).

But wait, could there be more? 🔗

Infotorg provides quite a few services. (Norwegian link only, sorry.) Having the URL for the web service I of course checked out what else was on the server. I was a bit surprised to see that the root site had a seemingly complete list of all the services available at Infotorg. There were links to the documentation and WSDLs (Web Services Description Language) telling about all these services available and how to connect to them and use them. And these services do indeed contain much more sensitive information. There is a national population register, financial information, credit assement, employee register, lay judge register, etc. etc. It's important to note that I never had (or tried to get) access to these other services. My point is that the openess is a bit too much, and seemingly the user credentials policy isn't very strict. But this is just speculation.

To add to the eerie feeling about these services there are links to some test site and test CMS and information about a test client. Google has of course indexed all these other sites and sub domains. Also there are pages giving errors that gives more information about infrastructure and services running.

Reception and handling 🔗

Day zero 🔗

I sent an e-mail to the contact e-mail address provided by Tryg at the app's Play Store page. I never got an answer.

I also used a web form to get in touch with Infotorg.

Day 1 - X 🔗

I got an answer from Infotorg in less than 24 hours. That's prompt, that's good. And they wanted more details.

When I provided more details with an example Curl command for them to try I got an automatic e-mail back telling that the person handling this was unavailable. I never heard back after that, so I tried again one month later and this time including a e-mail address from the automatic e-mail that was supposed to be used for urgent cases. I never heard back. So I tried again writing both e-mails again five days before publishing this. I never heard back.

Day 186 🔗

I'm publishing this post. So is this responsible disclosure? Yes, I tried hard to get an answer. But on the other hand, it seems to me that the involved parties don't think that this is a disclosure to begin with, and that it isn't a problem.

Some fun facts 🔗

Fun fact #1: The previous King of Norway had his cars registered on him personally 🔗

His Majesty The King has got a few cars. Looking up e.g. the one with licence plate A-1 you'll see that now the car is registered with The Royal Court, but it used to be registered directly on our previous King - Olav V. They have also trusted the insurance company If since 1995.

Fun fact #2: The service also works for Norway's new personal licence plates 🔗

The summer 2017 Norwegian Public Roads Administration opened for paying to get your own personal licence plate. It's been quite a few news articles about people getting different funny and fascinating plates. The web service in question works for those as well. Maybe something to think about before sticking your head out there.

Fun fact #3: Exposed by one single post 🔗

Reporting this issue I got a question back for more details. There's no better way to understand a security issue than seeing your own data. The person who responded had got this fully closed private Facebook profile. Or, did he? Well, he had one single public post; a check-in. The check-in was from when he got a free car wash from a big radio show in Norway. In that post there was a picture of the car in the car wash. So he got a pretty low profile on the Internet, but still one could look up the name, address, SSN, etc. Doesn't that hurt just a little bit?

Conclusion 🔗

We should probably not fear for our SSN. But I'm still not sure if I like the idea that just based on a licence plate anyone should get your full address or know any details about your insurances.

Also, I wish that it wasn't so hard to get the attention when trying to report a security concern...

At last some - hopefully - far fetched ideas 🔗

I call this "far fetched", because it's hard to believe it would happen, but I can't help thinking it.

We know from media the later years that governments from different countries do collect quite a bit of intelligence and information about people. Wouldn't be interesting for some states to get a catalogue of a big part of Norway's population? I mean, they get a real one-to-one identifier and full names and quite a bit of meta information. Combining this information over time with information from other sources? Observering a dataset like discussed here over time, one can get a sense of family relations, split-ups, address changes, income changes, etc. Is that okay? What if you at some point shared an address with a person that has got an entry ban in a country you want to travel to? Should they stop you too just to be sure?

What about insurance companies? They could in theory use the dataset to target potential customers. If they know that they beat the prices of one other particular insurance company they could make contact and try to sell their product instead. But then again, they have probably always had full access to these data.

If you use your imagination I'm sure you can come up with other ways to (ab)use the data.