License plates, emails, & basic user data: why losing them is a major security risk
We explore the impacts of a mobile parking app cybersecurity incident, how it was framed, and what could have been improved.
We recently received a notification that the nation-wide ParkMobile app — the largest parking app in the U.S. — had experienced a “cybersecurity incident” linked with an unspecified vulnerability in a third-party software they used.
In their press release, ParkMobile acknowledged that users’ license plate numbers, emails, phone numbers, vehicle nicknames, and — in some cases — mailing addresses were accessed by unidentified threat actors, a significant breach of sensitive user data.
While prompt communication to exposed app users is appreciated (not to mention expected), we are severely disappointed in ParkMobile’s framing of the incident and the manner in which they communicated the vulnerabilities associated with what amounts to a significant security breach — as we explore in greater detail below.
As we have said elsewhere and will continue to say, whether or not a business entity is hacked is not the question. Rather, the issue is properly identifying when a breach or cybersecurity incident has occurred and how the entity will respond. And unfortunately, ParkMobile’s handling of the cybersecurity incident leaves much to be desired, by not affording users the transparency required to adequately understand the nature and scope of risk to which they are now exposed as a result of this incident — a critical component of any incident response plan and general ethical business best practices.
Nothing to see here, it’s just “basic user information”
In their press release, ParkMobile issued a statement summarizing for users the findings of their cybersecurity investigation of the incident. While the unspecified vulnerability was reported to have been eliminated, ParkMobile did not explicitly describe what the cybersecurity vulnerability was — only stating the type of user information that was accessed. Acknowledging that user information was accessed at all implies sufficient context for us to examine, namely that they had suffered a security breach that resulted in the loss of sensitive user data.
Most critically, ParkMobile minimized this breach by choosing to deliberately label the loss of users’ license plates, email addresses, phone numbers, and (in “some cases”) mailing addresses as mere “basic user information”. And while such pieces of information may appear innocuous at face value, they do in fact present a significant security vulnerability for any users whose sensitive data was accessed by unauthorized hackers.
Let’s examine why.
What’s the big deal about an email address lost?
For starters, find someone’s email and you’ve more or less found them. Everyone tends to have at least one address, and most use personal naming conventions in them; if they don’t, they occasionally use significant personal details such as graduation dates, places, and the like. With the addition of breach data available on the dark web, we are able to conduct searches of email addresses to yield even more information about a target, including (often) their passwords, points they accessed the internet (if not using a VPN), and possibly other accounts associated to that original email address. Our bottom line: An email address could be labeled as “basic user information”, but its loss is anything but.
Check out this exemplar subject, for whom we originally had zero contact information. We eventually discovered their professional email address, which yielded their password in plaintext (due to an old data breach), which revealed their home address — all data yielded from one email address.
Okay fine, but what about license plates?
Let’s say we’ve hacked ParkMobile’s system and gained unauthorized access to their system through the vulnerability in their third-party software (awkward). We take all the data we can get our hands on, and then sell it to the highest bidder because cybercrime pays. In that data is your license plate, and maybe a name associated with the account. If we were targeting high networth individuals, we’d want to know what kind of vehicles our targets drive, so let’s do a search of a random Wisconsin license plate we found in our dataset (because we’re lazy and they’re nearby and thus easier to target):
Most states offer online services, and Wisconsin is no exception. A quick license plate search yields the type of vehicle our target possesses, in addition to the vehicle expiration date, and vehicle year, make, and color, all of which increases the attack surface available to us. More attack surface, more options by which nefarious elements can reach you and your assets — all derived from an innocuous piece of information such as a license plate. But that’s not all.
Once we’ve got a name and one vehicle, it’s relatively easy to make the jump to locate that vehicle (i.e. where it’s kept, which is also a free feature on the DoT website), as well as other vehicles located at that target address. Below we used (another) free search site to identify other vehicles at our (notional) target’s residence, yielding more data about them, including partial VIN numbers and the make/model of other vehicles they owned.
We now have our target’s name, email, address, password, license plate, partial VIN number, vehicle make/model, other vehicle makes/models, and aren’t even close to finishing — all thanks to “basic user information” exposed in the ParkMobile app.
They have my cars now, so what?
We alluded to it, but we’re not quite done yet with our targeting. We’ve built up a substantial picture of our target’s attack surface, but need more context, or “pattern of life”. So let’s identify the VIN of our target’s vehicle based on their license plate:
Why do we want the vehicle identification number (VIN)? Because that is yet another thread that offers even more context for a target’s vehicle usage and pattern of life. Not only will a VIN confirm a vehicle make/model/color and other biographical data, it also generally estimates mileage and — critically for us — provides a vehicle history, including sale/purchase dates, any accident history, and other useful tidbits.
More attack surface means more options (for the bad guys)
To recap: We now have our target’s name, email, address, password, license plate, full VIN number, vehicle make/model, other vehicle makes/models, estimated mileage, accident/driving history, and an even wider attack surface with several new threads upon which to pull. At this point, we only have to identify a preferred avenue through which to reach our target and execute our preferred attack method.
If we were targeting a high networth individual, it may not be useful to obtain the usual leverage identifying hidden assets or relationships that could hold them at risk. Instead, it may be more beneficial and impactful to learn more about his or her daughter who drives one of the other vehicles identified at their address. Individuals may not care about their own safety and security, but they certainly do care about that of their offspring and heirs — we now have even more leverage with which to work. And the targeting continues from there.
What did we learn?
The “basic user information” exposed in ParkMobile’s vulnerability is anything but basic. While individual bits of information may seem innocuous, they form a significant threat to family and individual safety and security when aggregated leveraging open source intelligence techniques. The amount of publicly available information online is staggering, which behooves everyday citizens to secure their digital realm today.
Thankfully, you don’t have to go it alone, as SMU exists to do as its name implies: to manage your signature — on and offline — in order to mitigate the hidden risks to your safety, security, and peace of mind.