Automated license plate recognition (ALPR) systems, used by law enforcement to track vehicles suspected of connection connected to illegal activities, have been found vulnerable, lacking even the most basic protection against public access, the Electronic Frontier Foundation (EFF) is warning.
A report published by the group this week reveals that data captured by more than 100 ALPRs sold by PIPS Technology, a company now part of 3M, could be accessed online by anyone with the correct URL. That access could allow a remote attacker to monitor license plate captures in real time. In a statement to EFF, 3M stood behind the security features of its cameras, but said that security features on the devices must be enabled by customers.
“Any issues with our products are taken very seriously and directly addressed with the customer,” 3M said.
ALPR devices are mobile or stationary high-speed cameras that can detect when a vehicle enters its field and automatically take a picture that includes the license plate. The identification number is then extracted from the image using optical character recognition (OCR) technology and fed into the police system, causing an alert when a car tied to criminal activity is spotted.
The cameras are indiscriminate about the cars they photograph and also append metadata that includes the exact time, date and location of the snapshot. These details are sufficient to map out the travel history, current whereabouts or daily routine of an individual, felonious or not, protected access of these systems thus becoming all the more important, EFF said.
The security of the devices is not new. John Matherly, the creator of the Shodan search engine has uncovered hundreds of open PIPS ALPRs, some of them allowing access not only to the live feed, but also to the configuration panel of the cameras.
At the Hack in the Box security conference this year in Amsterdam, Matherly demonstrated how he obtained about 63,000 unique license plates and accompanying metadata from 100 ALPR systems in five days (PDF), by using Shodan to search for insecure devices.
EFF’s own research at the beginning of the year confirmed the findings and showed that access to multiple such cameras managed by law enforcement agencies in Louisiana were not password protected and could be accessed via a browser or a public Telnet connection.
[See also: “Traffic Monitoring Technology is Vulnerable to Hacking.” ]
Although the non-profit organization disregarded devices that asked for authorization, Telnet configuration indicated that in many cases protection relied on weak or default passwords. Based on the data uncovered, the EFF was able to locate unprotected cameras in southeastern Louisiana, confirming the existence of some of them via Google’s Streetview service.
The EFF also discovered four vulnerable cameras in a network of more than 60 belonging to the University of Southern California. In this case, however, the risk of data leak was greater because the devices had the web-based configuration panel hosted on the university’s public pages that could be accessed from the public Internet.
What makes EFF’s effort stand out is following breadcrumb information found in configuration pages and correlating it with public records and news pieces to determine the parties responsible for the cameras and alert them directly.
The report from the privacy rights group comes after five months of exchanging messages with the controllers of the ALPR systems.
EFF said that policies are needed to prevent the collection of information on vehicles that are not relevant to ongoing criminal investigations and to reduce the storage duration for license plate capture images “to as short a time period as possible—days, not years or indefinitely.”
Many law enforcement agencies rely on the details captured by the high-speed cameras for efforts beyond stolen vehicle alerts. Historical data can be used in investigations where new leads are uncovered in more time than a few days. But privacy advocates say that such collection amounts to passive surveillance of law abiding citizens.
Some states have taken action. In California, a new online privacy law includes measures to make public and private entities running ALPR systems accountable to the public, including making the management of the data more transparent and holding the operators responsible for data breaches or unauthorized access of the systems.
In Vermont, proposed legislation aims at restricting regulations for ALPR use but an agreement about data retention has yet to be reached, with the ACLU (American Civil Liberties Union) pushing for a 24-hour storage period instead of the current 18-months.