10/29/2015License Plate Reader Security Flaw Exposed
Police agencies put license plate cameras on the web without any security precautions.
Law enforcement agencies around the country are undermining the privacy of motorists by failing to secure data from automated license plate readers (ALPR, also known as ANPR in Europe). The Electronic Frontier Foundation (EFF) on Wednesday revealed that five agencies in California, Florida and Louisiana left their camera systems exposed to the public on web pages that did not require passwords or other strong forms of security.
EFF spent five months working with the affected agencies to get them to address the problem before going public with the news. The flaws were found at the St. Tammany Parish Sheriff's Office, Jefferson Parish Sheriff's Office and the Kenner Police in Louisiana; Hialeah Police Department in Florida; and the University of Southern California's public safety department.
These departments used cameras from Pips Technology, now owned by 3M, that connected directly to the Internet. By default, the systems were not secured with strong passwords or encrypted. In some cases, password protection could be bypassed by accessing the system's settings. For the most part, anyone with the web address could access the cameras' video feeds and live data.
EFF began looking for unsecured license plate cameras earlier this year following the work of computer security researchers who had identified the Pips Technology flaw in 2013.
"As longtime critics of mass surveillance systems, EFF would like nothing more than to see a law enforcement agency take its ALPR networks offline," EFF's Dave Maass and Cooper Quintin wrote. "But that's a decision for the agencies to make, not computer researchers. Our greatest concern was ensuring that, if they were going to continue to use these systems, they not put the public's privacy at risk of a data breach."
The researchers noted that the University of Southern California's unsecured camera was located across the street from the Pi Kappa Phi fraternity house, enabling a live video feed of cars passing by and people walking across the street. One of the Florida cameras was placed in a way that recorded vehicles leaving the parking lot of a gun store and firing range.
"As these cases illustrate, when law enforcement agencies use surveillance systems, they need to be far more vigilant in ensuring that the technology is secure before they deploy it," Maass ands Quintin wrote.