The retail giant’s action follows a blog by software architect Troy Hunt who found URLs containing the number plates of all cars at Westfield’s Bondi Junction centre were publicly accessible – no hacking was required.
The app lets a shopper enter their number plate and, after choosing a photo of their car from four displayed vehicles, seeks to guide the shopper back to their parking bay.
Sydney-based Hunt was able to develop software that could inform him of when all cars arrived and left the shopping centre, and exactly where they were parked.
Hundreds of small high-resolution cameras placed about two parking bays apart snap car images and numberplate details, which are then made available to shoppers via the app when they want to relocate their car and leave.
However Hunt found that the transmissions of details within the Park Assist system were not encrypted and could be intercepted by surveillance software searching URLs in the public domain.
“Think about the potential malicious uses if you’re able to write a simple bit of software,” Hunt says on his blog.
“A stalker receives a notification when their victim enters the car park (and they’ll know exactly where the victim is parked).
“A suspicious husband tracks when his wife arrives and then leaves the car park; an aggrieved driver holding a grudge from a nearby road rage incident monitors for the arrival of the other party; a car thief with their eye on a particular vehicle could be notified once it is left unattended in the car park.”
In a statement this afternoon, Westfield said the Find My Car functionality had been pulled.
“Park Assist, which provides the camera technology to capture the number plate, yesterday advised there was an issue with the authentication of their data feed to the iPhone which resulted in number plate data being publicly accessible via the internet,” Westfield said.
“This issue has been addressed immediately by Park Assist, and the Find My Car functionality will not be available for approximately one week until the app has been modified to ensure that data cannot be accessed online.”
Westfield said it did not believe the app had breached personal privacy as number plates were not personal information.
“In terms of privacy, the application does not contravene the Privacy Act in so far as numbers plates are not ‘personal information’, and are therefore not subject to that Act,” it said.
“Having said that, the application theoretically could be used for purposes other than its original intention; however, it does not facilitate any activity that couldn’t already happen otherwise.
“For example, a member of the general public may try to use the application to find a car that is not theirs.
“On the other hand, at the request of police, the application might also be used to assist in their enquiries into a given situation.
“However, Westfield would not expect either of these situations to be typical.”
Westfield said its Find My Car app service had been developed to offer a service to the average shopper, by making it easier to find their car.
During a recent test by The Australian, the app failed to show a direct route to the car as some shopping centre infrastructure was missing from the mapping database.
Westfield management had to personally assist with relocating the car.
The app, which connects to the centre's Park Assist guidance system, also helps shoppers find a vacant car space.
It displays the number of free parking bays in the two main Westfield car parks, and allows a shopper to select from a dozen large stores and discover which parking areas offer closest access.
The Park Assist guidance system has already been rolled out at Westfield centres in Hornsby, Chatswood, Parramatta and Kotara in NSW, and in the Melbourne suburb of Doncaster. It will be available in Queensland at Westfield Chermside in Brisbane from October.
没有评论:
发表评论