Immobilise national property register left 28 million doors wide open for burglars to plunder data

ImmobiliseAt the end of last week I was contacted privately by security consultant Paul Moore, who had stumbled across a glaring privacy hole on a site which really should have known how to lock up its valuables better.

Immobilise, the UK's National Property Register, has been used by millions of Brits up and down the country to register the valuable possessions they have in their home.

The (very commendable) idea is that when police collar someone suspicious and find him in possession of items such as luxury TVs, smartphones, tablets, jewellery that might have been stolen in a burglary, they can quickly do an online search to try to track the goods' genuine owner.

And the Immobilise website isn't afraid to blow its own trumpet about its successes:

Immobilise can be used by members of the public and businesses to register their valued possessions or company assets, and exclusive to Immobilise all account holders registered items and ownership details are viewable on the Police national property database the NMPR.

This online checking service is used thousands of times each day by UK Police forces to trace owners of lost and stolen property.

As a direct result of Immobilise there are hundreds of cases a week where property is returned or information collected that assists the Police in investigating criminal activity involving stolen goods.

All very good, of course.

But it's not just police forces who would find a value in all that data, of course. I would be willing to bet that there are plenty of petty thieves who would love to have a list of houses, and the details of the valuables contained within them too. After all, the records kept by Immobilise include names, phone numbers, home addresses, email addresses, serial numbers - as well as the estimated value of some items.

Immobilise record

As Paul Moore explains on his blog, accessing a stranger's Immobilise record on the site is child's play.

Immobilise certificate ID

That's because each record on the site is accessed via a URL which contains two parameters: the user ID and the certificate ID.

So, you simply change 7161519 to 7161520, 716521, 716522... and so on.

If you had the patience (or rather, if you had the patience to get a computer to do it for you) you could download 28 million records that should have been kept properly secured.

"Sure, it'll take some time and you're bound to hit a rate limiter along the way, but even if it takes a day/week/month, it's worth the wait," wrote Moore.

News of the vulnerability became public yesterday on the BBC News website: 'Burglar's shopping list' security flaw fixed.

But what you won't necessarily realise when reading that news report is that the only reason the problem got fixed was because Paul Moore told the BBC about it, and the Beeb's technology team began to sniff around and ask Immobilise some awkward questions.

Immobilise didn't seem to take the problem anything like as seriously back in 2013, when they were first told about the flaw by Moore.

It reminds me quite a lot of how Dropbox only fixed a serious security hole on its systems which saw tax returns, mortgage applications and private photographs leak out when the BBC contacted them - months after initially being told there was a problem, and doing nothing.

Recipero, operators of Immobilise, issued a statement claiming it had now fixed the website:

Recipero, the provider of the Immobilise.com property register, confirms that a vulnerability in the website process has been identified. The vulnerability targeted a feature intended for use by registrants when inviting their insurers to view details of an item.

This vulnerability has been removed and a thorough review of records revealed no evidence of irregular usage.

Better late than never I guess, but elementary security holes like this shouldn't have been present in the first place. How many other systems, I wonder, might have equally valuable data for criminals but are being protected by systems which are useful as a chocolate teapot?

It does rather make a mockery of this claim made on the front page of Immobilise's website:

Secured by Design

Immobilise is accredited with the Secure by Design award; this means its systems and security solutions meet Police-approved standards.

To which I can only respond, "Oh dear. Maybe you need to improve your standards?"

Oh, and by the way, in case you're wondering how securely does the police handle the data once it reaches systems like the the NMPR (National Mobile Property Register), it's not all good news.

That site, also run by Recipero, was found by Moore to have its own security issues - such as being vulnerable to the POODLE SSL vulnerability.

Apparently this has now also been fixed, albeit without a public thank you to Paul Moore.

You can learn more about the flaws in the Immobilise website in Paul Moore's blog post.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

5 Responses

  1. Andy

    January 7, 2015 at 6:11 pm #

    Just another example of how those "secured" and "hacker safe" seals are total crap. The last thing I want to do is tell the gov't what personal property I own and sure as heck I don't want to add it to some gov't database.

  2. Techno

    January 7, 2015 at 6:18 pm #

    Really worrying, especially as when I told someone about this site the first thing they said to me, straight off the top of their head, was "that's great for burglars", something I didn't even think of.

    However, I still think it is worth the risk for me as it helps to prove what you own if you need to make an insurance claim as insurance companies are so difficult nowadays. I don't have much that is stealable, well, not much more than anybody else nearby anyway. I don't think that knowing what is inside my one-bedroomed flat would make much difference to a thief's decision to break into it.

  3. David

    January 7, 2015 at 10:22 pm #

    Greetings,

    Threatpost has a great article today on data privacy and the "IoT" . A talk given by one of the FTC Chairwoman that was directed at the big data gathering tech giants. Namely,watch your step,but said with a smile! It was great. Just Google it.:-D

  4. David

    January 7, 2015 at 10:28 pm #

    If anyone is really interested in the article I metioned above,here is the link.

    http://threatpost.com/ftc-urges-iot-privacy-security-by-design-at-consumer-electronics-show/110265

  5. RoxannaGreenleaf

    January 15, 2015 at 4:57 pm #

    Their only advantage is that they'll inform you when something features a negative effect on your credit score. An individual can avail the about the internet prepaid recharge facility as an effect of a laptop or computer. Many people suffer from credit issues inside course of their lives.

Leave a Reply