… but what about spatial data security?
People expect instant access to location based data. That could be anything from a simple map to questions like, where is the nearest library? what is the current traffic? what does my holiday home look like? In addition, initiatives like INSPIRE require data to be made available as download or services.
This push-pull for information has been simplified through the adoption of open standards, web mapping, cheap hardware, open source software and available skills coming out of universities.
Excellent… to a point.
When does open access and availability of spatial information become a risk to an organisation?
At Linknode, under “white-hat” or Ethical Hacking we have recently been investigating data security across a range of services from a geospatial perspective.
It is apparent that willingness to make data services available (by the private sector, central and local government) can expose the data owners or licensee to multiple risks including:
- Routes to defamation of interfaces (maps)
- Unplanned publication of data (including risk of personal information)
- Exposure of data outwith licence terms
- Provision of data to third parties at revenue risk
- Vulnerability of services to denial of service attacks
Three case studies below provide examples of different risks in publishing geospatial data on public platforms…
Online data such as OpenStreetMap are open to vandalism, but have rigorous peer and automated processes to review this. They even have a dedicated wiki page.
Whilst a service such as OSM has a rigorous process and enough contributors to peer review and manage change, other services have seen different types of problems.
Exploitation of WMS
Government Services often deliver data through open standards. But these can be utilised by third-parties without appropriate security management.
The image below shows a sample server delivering hijacked (un-watermarked) OS MasterMap data from a popular commercial service. The service should be restricted to the client. However, the configuration of the web mapping platform used to display the map was insecure, and hence allowed the source of the data to be identified and reused.
It would be simple for any other organisation (based overseas and not concerned with UK / OS copyright law) to publish unlimited and free access to image-based OS mapping.
Whilst the examples above are WMS (image) based, it is possible to find vector feature (WFS) based examples, providing detail of coordinates and attributes. The data below should be small enough to not be able to identify the source, but it is possible to easily query several km of high value data.
The examples above are exploitation of data that have been intentionally published (albeit not to the intended end user). However, another example of spatial data security is where establishing a service introduces a broader attack surface. This could be used to access other data or even manipulate data depending on the security rules.
The table below demonstrates an example of GeoJSON data access extracted from a UK service.
There is a phrase within technical development called dogfooding – which means practice what you preach. Our services are reviewed by external security audit and we use recommended protocols for access/authentication management.
Both central services and local government need better education in understanding of impact and mitigation in this area in order to make appropriate decisions. Linknode are available to discuss, assess and advise on the less glamorous, but geospatial publishing.
Finally, there is a whole other branch of unmanaged geospatial publishing called GPS or map art. There are lots of examples online, here is a recent link.