Buggy parking apps - when everyone suddenly sees where you park your car

Imagine parking your car in a multi-story car park or using a toll road – and without your knowledge someone else automatically receives a message on their smartphone, in real time: The car with your number plate is now parked here.

The technology is already real - and it enables stalkers, spies or criminals to create precise movement profiles of a vehicle owner or to intercept someone at their vehicle. This all happens in real time.

The Belgian security researcher Inti de Ceukelaire found out how this is possible without the vehicle owners finding out about it or being able to defend themselves against it: He had noticed that in more and more car parks only a camera controls the entrances and exits instead of a ticket barrier .

The technology behind it is called "ANPR", short for Automated Number Plate Recognition. This license plate recognition is intended to simplify the use of parking garages:

On the one hand, operators can use it to reserve parking spaces for previously registered cars. On the other hand, users can do without taking tickets at the barrier and the tiresome walk to the pay machine and instead simply register their license plate number in a parking app - then the billing takes place automatically when exiting, the user only receives an invoice via the app smartphone.

But what if it is not the owner but someone else who registers the number plate on their smartphone in one of the apps? Then suddenly the stranger gets the bill – and it says exactly where the vehicle was parked, when, and for how long.

What's more: Various apps make it possible to receive a notification live when entering the car park: "Camerapark" is the name of the "Easypark" app, which is popular in Germany. "Imagine you are being followed by a stalker - he is happy to pay your parking fee in the app to get a live notification of your location," comments de Ceukelaire in an interview with WELT.

"Or criminals who have sniffed out that you drive a high-quality vehicle - they get the message about the entrance to the parking garage, then drive there and when you come back they catch you at the parking lot and take the key from you."

Using the data from 120 voluntary vehicle owners in Belgium, he himself has tested how reliably he can collect location information via the parking app. With 120 license plates, he got a hit rate of almost thirty percent in three months.

The hits came not only from Belgium, but also from car parks in France. Great Britain, the Netherlands. And in Germany too, license plate recognition is already widely used.

"What's more, operators of toll roads are now also using the technology," explains de Ceukelaire. “Attackers could even use it to create movement profiles. For example in Great Britain on the M6 ​​or M50, or in Norway with the congestion charge.”

The technology, he describes, has become more and more reliable in recent years, and in Germany more and more car parks and parking lots are being equipped with license plate cameras. The researcher also found another trick: Some parking garage providers allow you to reserve a space in the parking garage by providing the license plate number.

If the vehicle is already in the parking garage at this point, the provider’s apps reject the reservation with the corresponding number plate – conversely, an attacker knows that the vehicle they are looking for can be found in the respective garage at the moment the query is rejected.

"The perfidious thing about it is that the vehicle owners concerned can't do anything about it, they don't even notice if someone else registers their license plate number," says de Ceukelaire. "I can only advise everyone to stop sharing photos with their car on social media where the license plate is visible."

In Germany, according to de Ceukelaire, APCOA, Contipark and Easypay are affected in addition to Easypark.

"From a legal point of view, the providers of the affected apps are violating Article 24 of the General Data Protection Regulation, and there are no suitable technical and organizational measures to ensure secure data processing in accordance with GDPR requirements," comments Marc Störing, partner and data protection expert at the Osborne Clarke law firm.

"The vulnerability is based on the fact that the providers do not check whether a license plate registered in the app actually belongs to a vehicle registered to the user."

In addition, many apps allow multiple license plates to be registered for one user. Because of this, de Ceukelaire was able to write a program that would automatically and simultaneously check 120 license plates in half a dozen different parking apps.

Expert Marc Störing advises providers to stop this multiple registration quickly and to only allow registration with a verified number plate from now on. "That would be possible with the vehicle registration document, for example, the providers would have to delete the corresponding photos and data from the registration immediately after registration."

De Ceukelaire fears that such a registration could result in further potential data leaks. He suggests that vehicle owners could block their license plates (notmyplate.com) to prevent abuse.

Conversely, this could also be used as a joke: what if the blacklist is used, for example by environmental activists, to prevent cars from using automatic parking garages?

"Everything on shares" is the daily stock exchange shot from the WELT business editorial team. Every morning from 7 a.m. with the financial journalists from WELT. For stock market experts and beginners. Subscribe to the podcast on Spotify, Apple Podcast, Amazon Music and Deezer. Or directly via RSS feed.