Using only the plate number of a Norwegian car you can find the name, address, Social Security number, etc. of the owners.
|Published:||Mon, August 14, 2017, 07:30|
|Updated:||Thu, August 17, 2017, 18:50|
Social Security numbers
OWASP 2013 A2
OWASP 2013 A6
While Norway's version of the Social Security number (SSN) isn't considered sensitive personal information, it can still be used for ID theft and is sometimes treated as an authenticator and not only used for identification. Knowing (or systematically picking) a car's number plate you can get quite a bit of personal information about the owners. Also, services hosted alongside the one in question seem to have dubious security.
|Who:||Tryg's mobile app and Infotorg's web services|
|Severity level:||Low to medium|
|Reception and handling:||Very poor|
|Issue:||A lot of personal info available for anyone who wants it|
The way to get the name (typically to look up the phone number to make contact) of a car owner in Norway has typically been to just send an SMS that costs some cents. A friend and former colleague told me about the insurance company Tryg's app Trygg på reise (Safe travel) where you can look up this information for free (plus Google broke their SMS app Hangouts making it impossible to send SMSes to 4 digit phone numbers). I had used it for quite a long time when one day I was curious about where it got its data from, if it maybe was possible to create some services on top of that data.
If you want to intercept traffic between a server and a mobile app (even SSL), the HTTP proxy Charles (and Android 6 or below for SSL) is the the way to go. It's very easy to use and gives a very good overview of the data going back and forth. And it let's you easily copy the HTTP requests as Curl commands.
Within a couple of minutes you have a pretty decent control of the HTTP calls for that app.
The first surprise I got was that the app and server actually use the procotol SOAP which is just terrible to work with. (I suspect people having to use, develop and debug SOAP services live in a fog of
The second surprise was that the web service actually sent back much more info than what it display in the user interface in the app, and not only the municipality that you also get with the amentioned SMS service. I've summarized all the details further down after all the technical details here. But seeing both the owner and co-owner's SSNs and addresses surprised me the most.
I noticed that the web service call always included the username and password instead of the returned session id. No biggie, but a bit strange. The strings for usernames and password were all upper case and only 6-7 characters long. The password was almost the same as the username and all of them containing the name of the customer and the abbreviation of the service name. I hope that isn't the standard, that it gives me a clue on how the logins for the other services are.
The data returned is returned as intended, so there's so information leak in itself. The web service works as it should. However, it's more questionable if it's okay that a service like to be facing a public client.
The data returned from the service is as follows:
Is this okay? All the app does is show the name of the owner and details about the vehicle itself.
Apparently the name of the co-owner and previous owner is public information according to the law called Offentlighetsloven (Freedom of information act) (Norwegian link only).
Infotorg provides quite a few services. (Norwegian link only, sorry.) Having the URL for the web service I of course checked out what else was on the server. I was a bit surprised to see that the root site had a seemingly complete list of all the services available at Infotorg. There were links to the documentation and WSDLs (Web Services Description Language) telling about all these services available and how to connect to them and use them. And these services do indeed contain much more sensitive information. There is a national population register, financial information, credit assement, employee register, lay judge register, etc. etc. It's important to note that I never had (or tried to get) access to these other services. My point is that the openess is a bit too much, and seemingly the user credentials policy isn't very strict. But this is just speculation.
To add to the eerie feeling about these services there are links to some test site and test CMS and information about a test client. Google has of course indexed all these other sites and sub domains. Also there are pages giving errors that gives more information about infrastructure and services running.
I sent an e-mail to the contact e-mail address provided by Tryg at the app's Play Store page. I never got an answer.
I also used a web form to get in touch with Infotorg.
I got an answer from Infotorg in less than 24 hours. That's prompt, that's good. And they wanted more details.
When I provided more details with an example Curl command for them to try I got an automatic e-mail back telling that the person handling this was unavailable. I never heard back after that, so I tried again one month later and this time including a e-mail address from the automatic e-mail that was supposed to be used for urgent cases. I never heard back. So I tried again writing both e-mails again five days before publishing this. I never heard back.
I'm publishing this post. So is this responsible disclosure? Yes, I tried hard to get an answer. But on the other hand, it seems to me that the involved parties don't think that this is a disclosure to begin with, and that it isn't a problem.
Tryg's user at Infotorg's service got closed (as far as I understand, after Tryg contacted Infotorg).
Tryg reached out to me. They thanked for the help finding the issue, said they were sorry for it being there in the first place, and told me it had been resolved.
digi.no published the article Norsk mobilapp åpnet for tapping av masse informasjon om norske bileiere.
Tryg commented on this post here themselves.
I think Tryg - when the information finally reached them - has handled the case very well. They reacted promptly, fixed the problem, and has been very open and honest about everything. I'm really happy with that.
His Majesty The King has got a few cars. Looking up e.g. the one with licence plate A-1 you'll see that now the car is registered with The Royal Court, but it used to be registered directly on our previous King - Olav V. They have also trusted the insurance company If since 1995.
The summer 2017 Norwegian Public Roads Administration opened for paying to get your own personal licence plate. It's been quite a few news articles about people getting different funny and fascinating plates. The web service in question works for those as well. Maybe something to think about before sticking your head out there.
Reporting this issue I got a question back for more details. There's no better way to understand a security issue than seeing your own data. The person who responded had got this fully closed private Facebook profile. Or, did he? Well, he had one single public post; a check-in. The check-in was from when he got a free car wash from a big radio show in Norway. In that post there was a picture of the car in the car wash. So he got a pretty low profile on the Internet, but still one could look up the name, address, SSN, etc. Doesn't that hurt just a little bit?
We should probably not fear for our SSN. But I'm still not sure if I like the idea that just based on a licence plate anyone should get your full address or know any details about your insurances.
Further I hope all of Infotorg's more sensitive services are much more secure than first impression I got; that they are alerted if anyone tries any brute force attacks or systematic information gathering, and that the logins don't consist of only a few capital letters.
Also, I wish that it wasn't so hard to get the attention when trying to report a security concern...
I call this "far fetched", because it's hard to believe it would happen, but I can't help thinking it.
We know from media the later years that governments from different countries do collect quite a bit of intelligence and information about people. Wouldn't be interesting for some states to get a catalogue of a big part of Norway's population? I mean, they get a real one-to-one identifier and full names and quite a bit of meta information. Combining this information over time with information from other sources? Observering a dataset like discussed here over time, one can get a sense of family relations, split-ups, address changes, income changes, etc. Is that okay? What if you at some point shared an address with a person that has got an entry ban in a country you want to travel to? Should they stop you too just to be sure?
What about insurance companies? They could in theory use the dataset to target potential customers. If they know that they beat the prices of one other particular insurance company they could make contact and try to sell their product instead. But then again, they have probably always had full access to these data.
If you use your imagination I'm sure you can come up with other ways to (ab)use the data.