Police, municipalities are using highly insecure Bright City app

Researcher claims the Bright City app, meant to be used by cops, local governments and citizens, lacks security controls and exposes data

Police, municipalities are using highly insecure Bright City app
Thinkstock

Back in January, the New Castle County Police Department in Delaware told citizens about a “property lockbox app” that could be used to take photos of personal property, record the serial and model numbers, and send that information to the police if their property was stolen.

The notification caught the attention of Randy Westergren, a security researcher and senior software developer at XDA-Developers. Curious, he started looking into the Bright City app. Westergren discovered a plethora of problems, calling Bright City “a highly insecure police and municipal government app.”

His county had purchased the app, which is described as allowing “direct, two-way communication between Bright City users and municipalities.” The app claims, “Now for the first time, your entire government accessible by your citizens on one mobile app.”

Bright City includes a property lockbox feature, a way for citizens to pay citations, an events and ticketing purchase feature, a way for citizens to report suspicious activity, a feature for citizens to report potholes or city areas needing maintenance, a way for citizens to ask police patrols to keep an eye on property while they are away, and a newsfeed for cops to share important info with citizens.

Many security issues found

The premise might sound good, but Westergren discovered after creating an account that the request the app makes when fetching the user’s profile information “required no authentication whatsoever.”

It goes downhill from there. Westergren found that the app returns the user’s password in plaintext. “Clearly, this is as bad as it gets,” he noted.

Digging deeper, he discovered that all the API requests are made “without any authentication or session-state mechanism whatsoever.”

Then, he tested the “lockbox” feature, meant to be used as proof to police if a citizen’s personal property was stolen, and uploaded some images. Sadly, he found a directory listing issue: “All of the uploaded documents and images in the app were publicly accessible.”

As far as Westergren is concerned, “The risks to the public in using this app are numerous and severe.” He added:

Not only is there sensitive information stored in the app itself for attackers to take freely, but actions and events within the system can be spoofed and submitted on the behalf of other users (or police agencies).

Without a fundamental authentication requirement, the integrity of any app information or action/event cannot be guaranteed to be legitimate. To be clear, there are user passwords (and other personal info), resident reports of suspicious persons, citizen electronic catalogs, and even payment information stored and used in this system—and none of it is safe.

Since the passwords are in plaintext, he pointed out that an attacker armed with a user’s password might be able to compromise other accounts due to password reuse.

When it comes to disclosure, Westergren debated, “How do you disclose ‘your product is toast, please start over?’”

In the end, he reported the issues to his county. The vendor did temporarily take down the app to implement authentication, but Westergren said, “numerous other issues I reported remain unaddressed.”

Copyright © 2017 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022