Automated license plate recognition systems have been used for over a decade by law enforcement to monitor and identify traffic offenders. More recently, the technology has found its way to customer-facing applications, despite criticism by privacy advocates. Until now, most privacy concerns revolved around increased risk of government surveillance, automated decision making, high cost of usage and potential data breaches. With this research paper, we are putting the theory into practice and factual data, uncovering different ways in which these systems are inadvertently already exposing vehicle location data to the general public. The growing trend of affected license plate systems across Europe and the U.S. is concerning, and calls for prompt and decisive actions by legislators to mitigate the increasing risks.

In order to automatically start- and stop a parking- or tollroad session based on a license plate, parking apps allow their users to enter their license plate number. Whilst this is convenient, this system lacks any form of authorisation: none of the apps verified whether the license plate was owned or affiliated to the person who entered it. This creates an opportunity window for a malicious actor to register someone else’s license plate and enable ANPR-based payments on their behalf. The next time a connected ANPR camera would detect the license plate, the attacker would receive a live push notification informing them of their session, disclosing the name of the parking lot the license plate is detected.

The bottom line: I can subscribe to location updates for any license plate I want, without consent of the owner.