NOS Nieuws•vandaag, 13:13
Q-Park’s ability to park contactless by number plate can be used to stalk people. A Belgian hacker discovered this, who also found the same problem with other parking companies and apps.
The problem is very simple to use: when people add a license plate to their Q-Park app, they don’t have to prove that the license plate belongs to them. If someone else’s license plate is added, you can see where someone is parking.
In return, the stalker pays his victim’s bill, making the problem primarily a risk for targeted stalking. For example, an angry ex can find out roughly where his ex-partner in hiding is hanging out, if the license plate is known.
Q-Park says in a response that people will automatically notice if their license plate is linked to someone else’s account. “Then the barrier will open and no costs will be charged.” Also, a license plate can only be linked to one account at a time, to prevent abuse. “If users notice this, they can contact customer service.”
However, people can also think that it is a malfunction if the barrier opens without payment, says the hacker, Inti De Ceukelaire. “Besides, by then it will be too late, because your location has already been passed on.”
De Ceukelaire also discovered the problem with apps that are mainly used outside the Netherlands, and with which people can pay for parking afterwards. This can be done by entering someone’s license plate to pay for a previous parking transaction.
The problem would also occur if people use the EasyPark app to park in a parking garage. That app is also offered in the Netherlands. In the Netherlands, the problem mainly occurs with parking garages, but in a number of cases also with street parking, says the hacker.
“120 volunteers signed up to test the problem, and in 29 percent of the cases I managed to find out their location,” says De Ceukelaire. “It could have been more, but I had to stop somewhere.”
The problem is not limited to parking: on toll roads with number plate recognition in France, Sweden, Norway and Ireland, users can also be tracked.
To avoid the problem, people can object under the GDPR privacy law via a tool on the website from the Belgian hacker. But ultimately license plates should be better protected, thinks De Ceukelaire. People would then have to confirm that a license plate actually belongs to them.
“I have no problem with this technique, but people do have a right to prevent abuse,” he says. Until then, Q-Park could, for example, show more clearly who pays for the transaction. “Then it will be clear more quickly if that is not true.”