The UK has a handy process for helping to safeguard physical valuables: the Immobilise National Property Register, where people can log in details about their valuables in order to make it easier for police to track goods in the event that they’re stolen. One issue though: up until recently there was a security hole that made it possible for hackers to intercept details about people’s gadgets and goodies, including where they’re housed physically.
It was like having a drawn map to the most lucrative physical addresses for a robbery. Want a new HDTV? No worries, the Hornaceks on Brighton Terrace just bought two.
The site logs a treasure chest of details, including registrant names, home addresses, telephone numbers and email addresses, along with the details of the valuables themselves. The latter information includes serial numbers, the make and model of each item, and how much they’re worth. With an estimated 4.2 million users and 28 million records, it is what information security consultant Paul Moore calls “a veritable goldmine for burglars.”
According to Moore, there was a hole in the certificates used by Immobilise to keep data private. Once a device has been registered, the user is given a certificate of ownership, each one with a specific ID number. One issue: the numbers weren’t random, but rather sequential.
“If the last certificate number is 7161519, the next is 7161520 and so on,” Moore explained. “However, if someone happens to add another item to their account before you, your next number is 7161521. By simply looping through every combination, it's possible to collect all 28+ million entries. That's quite a nice shopping list for a would-be burglar!”
Now, Recipero, the company behind Immobilise, has mitigated the risk by limiting access: website visitors are no longer able to view records which they do not own.
It’s still not perfect, Moore cautioned. “Although it's undoubtedly more secure, the inability to verify the authenticity of a certificate appears to render this process pointless,” he said.
Immobilise issued an online statement earlier today about what it called a “server resource issue,” but didn’t mention the mitigated flaw.
“Unfortunately, due to unprecedented website traffic resulting from recent publicity, demand for the Immobilise website has exceeded current allocated resources,” it said in a website notice. “To address this issue we have taken the Property Register offline whilst we perform maintenance and add additional front-end server capability...Please rest assured that all account data remains secure.”