'Burglar's shopping list' security flaw fixed

By Dave Lee
Technology reporter, BBC News

Image source, Other
Image caption,
Paul Moore generated a fake ownership certificate to demonstrate the range of information provided

An online service recommended by most of the UK's police forces has fixed a privacy flaw after being alerted by a security expert.

Immobilise allows members of the public to add records to the National Property Register, detailing valuables in their homes.

But security consultant Paul Moore discovered a flaw that made it possible to access other people's records.

Recipero, operators of Immobilise, said it had fixed the vulnerability.

The Association of Chief Police Officers (Acpo) is responsible for ensuring websites recommended by police are fit for purpose. It told the BBC that it had been assured, by independent auditors, that the site met the correct criteria.

Acpo said it welcomed the speed at which the vulnerability was fixed, but added it would be discussing the matter with Recipero.

No 'irregular usage'

Mr Moore discovered that by altering ID numbers in the site's URL, or web address, different records would be automatically downloaded without any additional security measures.

Records kept on Immobilise include a person's name and address, as well as a list of valuables and a rough estimate of how much each item is worth. It is thought that more than four million people use the service.

Image source, Thinkstock
Image caption,
Information kept by the site included lists of valuable items - and addresses

The company assured the BBC it has taken steps to fix the flaw.

"Recipero, the provider of the Immobilise.com property register, confirms that a vulnerability in the website process has been identified," it said in a statement.

"The vulnerability targeted a feature intended for use by registrants when inviting their insurers to view details of an item.

"This vulnerability has been removed and a thorough review of records revealed no evidence of irregular usage."

Recipero's chief operating officer Les Gray told the BBC there were some "inaccuracies" in Mr Moore's blog post, but would not specify further. Repeated requests for clarification ahead of publication were declined.

The site was also vulnerable to the so-called Poodle bug. The flaw, discovered by Google researchers, affects web-encryption technology.

"Recipero confirms that the 'Poodle SSLv3' vulnerability has also recently been addressed on all of Recipero's servers," the company said.

"As readers may be aware, this has affected a large number of the world's web servers and impacted on a number of operating system and web browser combinations."

Recovering stolen goods

Immobilise is used to match stolen goods to their rightful owners by inviting owners of valuable items to enter them into a database that can be accessed by police.

According to the police, the tool is used "thousands of times a day by forces all over the UK including Scotland and Northern Ireland".

Image source, Other
Image caption,
Immobilise carried Acpo's 'Secured by Design' logo

But Mr Moore said that elements of the site were insecure "by design".

"That's quite a nice shopping list for a would-be burglar!" he posted in a blog outlining the issue, updated to reflect the fact that it had been fixed.

"They'll know your name, home address, telephone number(s), email address, the make/model of your item, any identifying factors (serial numbers, IMEIs, unique marks etc) and even how much it's worth!

"Sure, it'll take some time and [hackers are] bound to hit a rate limiter along the way, but even if it takes a day/week/month, it's worth the wait."

'Exemplary record'

However, he acknowledged that it was "very unlikely" that any homes had been targeted as a result of the vulnerability.

Ken Munro, who works as penetration tester, advising companies on how to avoid being the victims of hack attacks, told the BBC he had concerns - but noted there were some security precautions in place.

"It would be easy to write a script to churn through the site and extract all users' property details," he said.

"However, it would take quite a while to do this. I also noted that they host their website with CloudFlare - a company that specialises in preventing this and similar attacks."

In its statement, Recipero defended its security record.

"For over a decade Recipero's Crime Reduction Ecosystem has benefited the public, police and traders.

"Throughout this period the business has maintained an exemplary record of data security. Swift attention to these issues reflects an ongoing commitment to security and privacy."

Follow Dave Lee on Twitter @DaveLeeBBC