Simple Questions, Security Design, Details and Assumptions
A few days ago we received a call from a journalist who was researching for an article about a system about parking place management. Motorists have a hard time finding a place to park in busy urban areas. This is why Austrian researchers thought of fitting street lamps with cameras that monitor parking areas. The cameras report the images to a system that identifies free parking sites and reports available spots to drivers by means of their satnav. The journalist wanted to know how safe this is and if there might be a threat to privacy. The answer is not that easy. In this context it typically resolves to the style of Radio Yerevan and starts with „In principle yes, but …“. In our case it depends on the details of the implementation.
Brevity and sensible reduction of details is the key to explain difficult problems. It can quickly turn into a difficult problem itself when assumptions are involved. Let’s take the parking space cameras as an example. The basic components are the cameras, a system doing the processing of the images and a component that tells the satnav (which one?) about the free parking lots. If you claim that „in theory there should be no or only a negligible impact on privacy/security“ you heavily lean on a lot of idealistic assumptions. Unless you have answers to the following questions you will not be able to give qualified answers.
- What data is exactly transmitted between all the components involved?
- How do the cameras transmit the images to the backend system?
- What happens to the images during/after processing? How are they stored? How are the backups implemented?
- Are the cameras/servers hardened?
- Which satnav(s) are supported?
- How does the backend system transmit data to the satnav(s)?
- How can all components involved be accessed? Are there restrictions for access in place?
The list is most probably incomplete. Hopefully the question illustrate that an innocuous question can trigger many in-depth questions. Security researchers (usually) know this, but others not involved with security might not understand. Please do not use these questions as arguments against the parking lot project. It serves as an example, and the project manager has assured that the camera images will only be stored temporarily and that no license plates will not be decipherable.