The phone on the left is that of the original user of the application. He has just entered the Fort Neipperg car park using on-demand access. But there’s nothing to indicate this on his screen. That’s because the parking notification has been sent to the phone of the second user (right), who has registered to track down the first. Photo: Paperjam

The phone on the left is that of the original user of the application. He has just entered the Fort Neipperg car park using on-demand access. But there’s nothing to indicate this on his screen. That’s because the parking notification has been sent to the phone of the second user (right), who has registered to track down the first. Photo: Paperjam

By hijacking the Indigo Neo parking application adopted by the City of Luxembourg, it is possible to find out where someone has parked without them knowing. This only applies to car parks with on-demand access. Here’s how it works.

Let’s say Alix parks every morning at Fort-Neipperg in Luxembourg City, a stone’s throw from her office. Since 1 June, she no longer needs a ticket to enter the car park: the barriers open automatically by scanning her number plate. That’s because Alix downloaded the . Convenient? That was without taking Lou into account, who decided to download the same app. But instead of entering his own number plate, Lou entered Alix’s. Lou now receives a notification telling him when Alix enters or leaves the Fort Neipperg car park.

Why would he do this? Perhaps Lou wants to break into Alix’s house and make sure the coast is clear. Or Lou and Alix are a couple and Lou wants to make sure that Alix doesn’t make any detours before or after work. Or for the same reasons, even if Alix and Lou aren’t a couple. There’s a whole host of other possibilities.

Whatever the case, the fact remains that the application can be used to track someone’s parking.

It’s a flaw highlighted by application developer Thibault Milan. So, Delano’s sister publication Paperjam tested it out with him. Each used their own phone, each used their own app, each used their own bank account. But they used the same number plate. The result: it’s the last person to authorise access to the application who gets the parking information. The first person, however, does not receive any notification that someone else has registered with the same vehicle.

The tracker pays the bill

The only way for the “honest” user to realise this is that once the “dishonest” user has registered his number plate to track him, the first person no longer receives his usual notification or parking information in his application. In addition, it’s the second person who pays the bill. These are details that can go unnoticed at first, if you’re not in the know...

Inti De Ceukelaire, the “ethical hacker” behind “notmyplate.com,” conducted a with 120 volunteer participants in Europe to determine the harmful effects of cameras used to read number plates. The vehicles of 29% of them were located in less than 100 days.

To solve this problem in Luxembourg, “we could ask the user to take a photo of the vehicle registration document,” says Milan--while demonstrating that it is easy to access the application with a completely fictitious name or address, as long as the bank account and number plate are real.

This is a way of ensuring that the person using the application also has access to the registered vehicle’s papers. But this does not solve the problem of tracking by the victim’s relatives, for example. So the developer came up with the idea of a sharing system, allowing the main user to add other people themselves. “Just a notification” when someone else registers our plate could already be a great help.

A flaw limited to on-demand access

Good news for those who park on the street: the problem only seems to affect gated car parks, where the on-demand access option is available. Milan and Paperjam carried out the same test by parking in the open air on Boulevard de la Pétrusse. Here, it’s up to drivers to open the application and select their parking zone. In this case, the “dishonest” account receives no information.

When contacted, the Luxembourg City council stated that it had “no knowledge of the facts reported” and was awaiting a response from the application’s supplier.

The latter--the Indigo group--admitted to Paperjam that, for on-demand access, “the risk of fraudulent use is technically possible, but relies on the fact that a third party will pay for the parking of the user whose plate has been entered.” According to the company, this behaviour “will most likely be reported to our customer service department, as the situation is obviously abnormal.”

When asked about the possibility of requesting a photo of the vehicle registration document, for example, the company replied that the number plate recognition used “makes it possible to address very common cases of use where the user of a vehicle is not necessarily the owner. For example, the case of members of the same family who each have an Indigo Neo account with a different means of payment, but who share the same vehicle. It’s because of this type of use, which can also apply to small businesses, that the restrictions have not been adopted by the industry.”

So no major changes are planned. “Following knowledge of these specific (and extremely rare) cases, we have taken steps to strengthen our of sale so that we are able to take action in the event of fraudulent use being identified.” The terms and conditions now state that “the user undertakes only to provide number plates for vehicles of which he or she is the legitimate owner or user.”

Finally, Indigo Neo has “put in place a review of user accounts that could be considered at risk. If risky behaviour is identified, we can close the account in question.”

This story was first published in French on . It has been translated and edited for Delano.

Related articles