Register to protect stolen property has security flaw

A "burglar's goldmine" of UK property details has potentially been accessible due to a flaw in the registration service.

Register to protect stolen property has security flaw
Register to protect stolen property has security flaw

UK homeowners will be relieved that a security flaw that could have let criminals into the UK's National Property Register (NPR) – which lists over 28 million valuables and is described as “a burglars' shopping list” – has now been fixed.

The flaw was found in the free Immobilise service, which lets people add details of all their valuables to the NPR, along with their name and address – ironically, in case they are stolen.

Immobilise is backed by most of the UK's police forces, but IT security consultant Paul Moore of Urity Group said this week that attackers could collect details of all its account holders through a ‘direct object reference' weakness in the site.

With around four million users and more than 28 million valuables, Moore said this presented “quite a nice shopping list for a would-be burglar”.

But the company behind Immobilise, Recipero, has moved quickly to plug the hole.

Likewise, a Poodle/SSLv3 exploit identified by Moore in Immobilise and its sister service, CheckMEND, as well as the police's own National Mobile Property Register (NMPR) website, has also been fixed.

Moore said the Immobilise problem lay in its sequential certificate numbering system, which made it easy for attackers to simply loop through every combination and collect all 28 million-plus entries.

He said: “This exploit is known as a direct object reference, though I refer to it as the ‘open DOR' attack to signify the ease with which it can be detected and exploited.

“Immobilise isn't the first site to be vulnerable to such an attack, but it's first I've seen which appears to be built around this flawed principle. If this technique meets ‘secured by design' criteria, you have to question how reliable this (or indeed any) trustmark really is.”

Moore said criminals could use it to gather “your name, home address, telephone number(s), email address, the make/model of your item, any identifying factors (serial numbers, IMEIs, unique marks, etc) and even how much it's worth!”.

But Recipero chief operating officer Les Gray confirmed it has fixed the flaw, and that it was not misused by any criminals.

Gray told SCMagazineUK.com: “There was a vulnerability; it was not exploited, and it's been removed. We're certainly grateful for him (Moore) bringing it to our attention when he did and we were able to sort it very quickly.”

But Gray said Moore's blog had over-stated the risk. “He's absolutely right in his reporting of the fact that there was a vulnerability but much else behind the potential of that vulnerability is less than correct,” Gray told SC.

Recipero cured the problem by removing the feature that allowed non-account holders to access ownership certificates.

In a statement, the company also confirmed: “The Poodle SSLv3 vulnerability has recently been addressed on all of Recipero's servers,” adding that the flaw had affected “a large number of the world's web servers”.

But analysing the problem, James Brown, director of cloud computing and solutions architecture at Alert Logic, criticised Immobilise's site design.

He told SCMagazineUK.com via email: “Attacks like this - where a request for data is not tied to the user's session - have been around for a long time. It is terrible that as a profession we are still putting these vulnerabilities and others into production.

“To protect against this type of attack, people need to implement secure coding practices where security becomes part of the development process. Additionally look to invest in tools like web application firewalls that can help protect and notify you when an application comes under attack.”

Brown added: “This attack highlights that even with SSL certificates and other ‘secured by design' logos on the site, this is another example of a high-profile site that could easily leak valuable information to an attacker - there is no reliable way of understanding if a website you are using is secure or not.

“Although it has been a bad year for vulnerabilities with Heartbleed, Shellshock etc, it is still the website itself that is often the most vulnerable.”

Recipero was founded in 2000 to provide a “crime reduction ecosystem of data gathering and intelligence solutions”.

Immobilise helps police identify the owners of recovered property, and is used thousands of times a day.

CheckMEND records over 150 billion items of property and is used by the UK phone recycling industry to help them avoid accepting or handling stolen goods.