EFF Discovers More Leaky ALPR Cameras Accessible Via The Web

from the more-cameras,-less-security dept

Thu, Oct 29th 2015 2:19pm — Tim Cushing

Not only are automatic license plate readers (ALPRs) in use all over the nation, but the companies behind them are less interested in securing their systems than selling their systems.

Earlier this year, EFF learned that more than a hundred ALPR cameras were exposed online, often with totally open Web pages accessible by anyone with a browser. In five cases, we were able to track the cameras to their sources: St. Tammany Parish Sheriff’s Office, Jefferson Parish Sheriff’s Office, and the Kenner Police in Louisiana; Hialeah Police Department in Florida; and the University of Southern California’s public safety department. These cases are very similar, but unrelated to, major vulnerabilities in Boston’s ALPR network uncovered in September by DigBoston and the Boston Institute for Nonprofit Journalism.

The earlier investigative work mentioned by the EFF has been spearheaded by Kenneth Lipp, who has exposed several insecure camera systems run by private contractors but deployed by government agencies. Lipp has also uncovered unsecured law enforcement CCTV systems in other major cities, including New York's Domain Awareness System, where feeds could be easily accessed via the internet.

The systems the EFF accessed are sold and maintained by PIPS Technology. The EFF was able to access several stationary ALPR cameras and view live captures of plate data.

The company, now owned by 3M, offered this statement when notified of the security hole.

We cannot comment on issues PIPS may have had prior to the acquisition, but I can tell you any issues with our products are taken very seriously and directly addressed with the customer.

We stand behind the security features of our cameras. 3M’s ALPR cameras have inherent security measures, which must be enabled, such as password protection for the serial, Telnet and web interfaces. These security features are clearly explained in our packaging.

Except, of course, the EFF's discoveries came after 3M's acquisition of PIPS. While the holes the EFF uncovered have been closed, 3M (and other companies) have pretty much declared unsecured ALPR cameras to be Not Their Fault. Over the years, researchers and activists (like Dan Tentler) have received a variety of deflections from ALPR companies.

3M spokeswoman Jacqueline Berry noted that Autoplate's systems feature robust security protocols, including password protection and encryption. They just have to be used.

"We're very confident in the security of our systems," she said.

That would mean something if the companies simply sold the software and hardware. But the companies also have direct access to client connections and should be able to check for unprotected sources. But they don't and when confronted, they blame the end user. When Kenneth Lipp went public with his discoveries, he received this answer from Genetec, which ran the systems he was able to access.

On the ALPR front, Genetec shirks all responsibility for the aforementioned open portal, even though a remote desktop client terminal, which was also left exposed, shows they had direct access. Reached by email for this story, the company’s Vice President of Marketing and Product Management Andrew Elvish wrote that the server in question was a “location used by a customer to transfer data to be used in a parking or law enforcement patrol car, equipped with a Genetec system.” The data, Elvish added, was “not gathered by a Genetec AutoVu ALPR system … [which is] automatically encrypted.”

As far as the contractors are concerned, the problem is law enforcement agencies who are deploying the cameras and systems without implementing built-in security features. And while the agencies involved quickly closed the security holes, it doesn't change the fact that these systems went live while they were still unsecured. This could be chalked up to carelessness, but it could also be another indication of how little most agencies (and the companies who sell to them) care about the millions of people who aren't cops/government contractors. In their minds, the important thing is that the systems went live and started contributing to vast plate/location databases. Properly securing systems is still an afterthought.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: alpr, license plate readers, security
Companies: 3m, eff, pips

42 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 29 Oct 2015 @ 2:40pm

As for controlling the cameras there is definitely a problem. But the ability to view feeds of cameras recording the public? Where there is no expectation of privacy? It's much harder to argue that that should be private. Not to mention many ALPR records are available through FOIA.
[ link to this | view in chronology ]
- Anonymous Coward, 29 Oct 2015 @ 3:38pm
  
  Re:
  While crappy security is a concern in itself, I really don't care too much about individual camera feeds being exposed.
  
  My problem is with the security of the databases that are storing the data long-term (both exposing it to the public and storing it in the first place). As the density of ALPRs increases, the records effectively become as detailed as GPS data would be. It's like the police putting a GPS tracker on every single car in their city.
  [ link to this | view in chronology ]
  - Anonymous Coward, 30 Oct 2015 @ 11:16am
    
    Re: Re:
    I think the data should be public record. It was collected in public and financed by taxpayers after all.
    [ link to this | view in chronology ]
    - Anonymous Coward, 30 Oct 2015 @ 11:39am
      
      Re: Re: Re:
      And this is why I just go for the 'don't do it at all' solution. With public records of everyone's exact driving routes, speeds, and stops:
      
      Health insurance co.: 'You stop at McDonalds way to often. We're raising your rates, Cholesterol Boy'.
      
      Boss: 'You stop at McDrunkies Bar for way too long, way too often. You're fired, Scotch Boy'.
      
      Police: We know your general pattern of stopping at the ATM. This means you have cash on you. All cash could be used to buy drugs, so we'll need to keep seizing it, Enyone Boy'.
      [ link to this | view in chronology ]
      - Anonymous Coward, 30 Oct 2015 @ 11:41am
        
        Re: Re: Re: Re:
        And I'm Typo Boy.
        [ link to this | view in chronology ]
Anonymous Coward, 29 Oct 2015 @ 2:56pm

Public access for public readers
All ALPRs that can readily be exposed to the public (i.e. they are already connected to the Internet for their administrators' convenience) ought to be exposed and accessible anonymously. People never appreciate a threat to privacy until they see how it impacts them personally. The potential abuses are much easier to understand when you can tell them "That camera sees when you leave, and anyone with an Internet connection can see it too. If you don't like it, get your city council to rein in surveillance."
[ link to this | view in chronology ]
Dismembered3po (profile), 29 Oct 2015 @ 2:58pm

Holy 1986, Batman!
"3M’s ALPR cameras have inherent security measures, which must be enabled, such as password protection for the serial, Telnet and web interfaces."

I'm sorry....the WHAT interface?

I swore for a second you said "telnet interface."
[ link to this | view in chronology ]
- Anonymous Coward, 29 Oct 2015 @ 3:34pm
  
  Re: Holy 1986, Batman!
  It was a mistake, the spokeperson meant the 'postcard' interface....
  [ link to this | view in chronology ]
- Moo (profile), 29 Oct 2015 @ 6:28pm
  
  Re: Holy 1986, Batman!
  And the security is disabled by default? I'm sure lots of their customers really want to run open-access services...
  [ link to this | view in chronology ]
- John Fenderson (profile), 30 Oct 2015 @ 5:38am
  
  Re: Holy 1986, Batman!
  That caught my eye as well. "Telnet interface" and "secure" are two things that don't go together at all. Telnet has been a security risk for years, and the generally accepted practice is to disable it entirely.
  [ link to this | view in chronology ]
  - Anonymous Coward, 30 Oct 2015 @ 12:24pm
    
    Re: Re: Holy 1986, Batman!
    "Telnet interface" and "secure" are two things that don't go together at all.
    They can. Kerberized telnet exists, but I doubt these vendors are so competent.
    [ link to this | view in chronology ]
  - Anonymous Coward, 30 Oct 2015 @ 1:36pm
    
    Re: Re: Holy 1986, Batman!
    Telnet has been a security risk for years
    
    I believe you misspelled "since its invention".
    [ link to this | view in chronology ]
Anonymous Coward, 29 Oct 2015 @ 4:17pm

Around here the cops are always driving through shopping center parking lots with license plate readers, and slapping wheel clamps on cars which presumably have unpaid tickets of some kind. Since cars are not even required to have license plates while on private property, it's a wonder why these people don't just remove their plates while they spend the day at the mall.

Hopefully cars in the near future will come with quick-change licence plate holders, or covers, so at least parked cars will be safe from getting scanned.
[ link to this | view in chronology ]
- Anonymous Coward, 29 Oct 2015 @ 4:26pm
  
  Re:
  I keep meaning to make a smart-glass license plate frame/cover. That way, you don't have to figure out what to do with the plate, just turn off the ignition and the cover goes opaque.
  [ link to this | view in chronology ]
  - Uriel-238 (profile), 29 Oct 2015 @ 4:44pm
    
    Smart-glass license plate
    That's like Q cool.
    
    And apropos in the surveillance era.
    [ link to this | view in chronology ]
    - Anonymous Coward, 29 Oct 2015 @ 5:43pm
      
      Re: Smart-glass license plate
      One problem is that having even transparent plate coverings is illegal on public roads in some places. But if smart-film gets thin & flexible enough, it could be molded right onto the surface of the plates, following the contours and being pretty hard to spot.
      [ link to this | view in chronology ]
      - 3M Guru, 29 Oct 2015 @ 7:27pm
        
        Re: Re: Smart-glass license plate
        ...and 3M makes that type of smart shrinking film you're seeking...
        [ link to this | view in chronology ]
        
        Anonymous Coward, 29 Oct 2015 @ 7:37pm
        
        Re: Re: Re: Smart-glass license plate
        I really hope the stuff is prohibitively expensive, otherwise I see a lot of free time in my future not being free anymore.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 29 Oct 2015 @ 10:16pm
        
        Re: Re: Re: Smart-glass license plate
        Damn, it doesn't even look challenging enough to be fun, using something like this. Only minor challenge might be getting the right amount of juice to the film at the right time. Has everybody else already been doing this for a while, and I'm just late to the party?
        
        (http://shop.smarttint.com/Plug-and-Play-Smart-Tint-Systems--You-Trim-To-Fit_c_4767.html)
        [ link to this | view in chronology ]
      - Anonymous Coward, 30 Oct 2015 @ 9:24am
        
        Re: Re: Smart-glass license plate
        ...transparent plate coverings is illegal on public roads in some places...
        
        In my area the law actually says the plate must be visible from 50 ft (15m) away and not obstructed. I've never seen it enforced, however.
        [ link to this | view in chronology ]
        
        John Fenderson (profile), 30 Oct 2015 @ 11:09am
        
        Re: Re: Re: Smart-glass license plate
        In my area, any license plate cover at all is illegal, even if it is 100% transparent and does not obstruct the visibility of the plate.
        
        And that law is enforced.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 30 Oct 2015 @ 11:43am
        
        Re: Re: Re: Re: Smart-glass license plate
        Mine too. I can only assume it's to prevent people from using radar-scattering materials on the cover, since we also have a law against perpetual motion machines.
        [ link to this | view in chronology ]
- Tedd, 30 Oct 2015 @ 8:53pm
  
  Re: Anonymous Coward
  Maybe plates that flip over, like on the Green Hornet's Black Beauty!
  [ link to this | view in chronology ]
  - Anonymous Coward, 31 Oct 2015 @ 4:37am
    
    Re: Re: (flipping off the cops)
    Not as many plates as James Bond, but good enough.
    
    http://www.youtube.com/watch?v=xTQOJmCztLw
    
    Perhaps a little slow for red right runners though.
    [ link to this | view in chronology ]
Uriel-238 (profile), 29 Oct 2015 @ 4:41pm

Taking a moment to blue-sky a radical notion...
What would happen if the next time some government spy database is hacked instead it just gets dumped to the public?

Say via peer-to-peer.

Somewhat hard on the victims, but maybe that might drive home that surveillance + lousy security is a maximum strength bad idea?

I mean, it's post Ashley-Madison, why haven't we learned this already?
[ link to this | view in chronology ]
- That One Other Not So Random Guy, 29 Oct 2015 @ 4:55pm
  
  Re: Taking a moment to blue-sky a radical notion...
  Because... terrorism.
  [ link to this | view in chronology ]
  - cofly, 29 Oct 2015 @ 8:04pm
    
    Re: Re: Taking a moment to blue-sky a radical notion...
    No... Think of the children!
    [ link to this | view in chronology ]
- Anonymous Coward, 29 Oct 2015 @ 4:59pm
  
  Re: Taking a moment to blue-sky a radical notion...
  If the leaked data contains numerous license plate captures of public officials ( police chiefs, mayors, etc ) personal vehicles being parked at places of ill repute then yes I guarantee action will be taken to secure data from future hacks combined with a PR campaign explaining how the hacked data cannot be trusted and how most of it is fake.
  
  If it only contains citizen data a hack will change nothing.
  [ link to this | view in chronology ]
  - Anonymous Coward, 29 Oct 2015 @ 5:53pm
    
    Re: Re: Taking a moment to blue-sky a radical notion...
    Why do I have the sneaking suspicion that very soon, government cars will be equipped with tiny transmitters that tell ALPRs to stop photographing while they're in range. Hell, maybe all politicians will be able to get sub-dermal chips that tell all surveillance and security cameras to stop recording.
    [ link to this | view in chronology ]
    - Uriel-238 (profile), 29 Oct 2015 @ 8:57pm
      
      VIP Transmitters
      And then those transmitters will become big on the black market.
      [ link to this | view in chronology ]
      - Anonymous Coward, 30 Oct 2015 @ 1:12am
        
        Re: VIP Transmitters
        And then those transmitters will become big on the black market.
        
        I don't want a VIP-chip. I want a VIP-chip receiver. It will automatically raise the prices up a notch when one comes in range. Or other creative things to do with proximity sensors...
        [ link to this | view in chronology ]
- tqk (profile), 30 Oct 2015 @ 1:43pm
  
  Re: Taking a moment to blue-sky a radical notion...
  What would happen if the next time some government spy database is hacked instead it just gets dumped to the public?
  
  That is punishing exactly the wrong people, the victims. However, if the data's scrubbed of PII first, it might be effective and benign.
  I mean, it's post Ashley-Madison, why haven't we learned this already?
  
  They don't have to. It took more than a decade for businesses I worked for to twig to the fact that telnet, ftp, and rsh transfer passwords in cleartext visible to any sniffer (wireshark) on the network, so they should stop using them. When we went to wifi over ethernet, it was a disastrous idea to continue using them, but they did anyway. I even had to warn a large Canadian university they were running finger (a stalker's dream).
  
  Lacking accountability, there is no liability, and no need to improve or even catch up, but don't make the victims pay the price.
  [ link to this | view in chronology ]
Anonymous Coward, 29 Oct 2015 @ 5:10pm

How to stop this
Stopping this is easy:

1. Crowd fund software to recognize license plates
2. Purchase a few cameras
3. Find locals willing to have the cameras placed in their window facing the street.
4. Obtain, via observation, license plate numbers for various city officials
5. Publish time and location each time a public officials license plate is recognized
6. When they bitch about privacy feed them their own food of 'but it happens in public so there is no expectation of privacy' BS
7. Watch them agree to stop using their ALPR if we stop using our ALPR.

Oh who am I kidding, everyone involved in such an idea would be labeled a domestic terrorist and be prosecuted as such starting with me for suggesting such terrorism.
[ link to this | view in chronology ]
- Anonymous Coward, 29 Oct 2015 @ 5:12pm
  
  Re: How to stop this
  Looks like step one is already completed
  https://github.com/openalpr/openalpr
  [ link to this | view in chronology ]
- Mike, 30 Oct 2015 @ 12:53pm
  
  Re: How to stop this
  https://github.com/openalpr/openalpr
  
  http://www.openalpr.com/demo-image.html
  
  It's already done ;-)
  
  Have fun!
  [ link to this | view in chronology ]
- untrusting, 30 Oct 2015 @ 12:59pm
  
  Re: How to stop this
  Not only declared a domestic terrorist, but child porn would magically appear on their home computers, cell phones and tablets. Like magic.
  [ link to this | view in chronology ]
Geno0wl (profile), 30 Oct 2015 @ 8:14am

Heads Up
Another fun tidbit PIPS/3M responded to the article from the EFF...and then didn't bother to contact the contractors/agencies with the vulnerable cameras!
So while the article about the cameras came out on the 28th, and 3M responded to it...they never bothered to reach out and inform or help in any fashion the agencies that were vulnerable. So our agency didn't get notified of potential issues until the 29th when this article was read online.
Thanks for nothing 3M.
[ link to this | view in chronology ]
- tqk (profile), 30 Oct 2015 @ 1:48pm
  
  Re: Heads Up
  So our agency didn't get notified of potential issues until the 29th when this article was read online.
  
  Perhaps your agency should have sprung the beans to pay for the ongoing support contract. Cheapskates.
  [ link to this | view in chronology ]
  - Geno0wl (profile), 5 Nov 2015 @ 6:13am
    
    Re: Re: Heads Up
    Funny thing, we DO pay for the service contract!
    Now we are going back through and resetting all the camera passwords to what we want them to be...except for two of them. Why not two of them? Because apparently 3M set them different than the rest and "forgot" what they were set to!
    And they are fighting us about resetting the password because it isn't part of the "standard service contract"...yeah our person in charge of the contract is ready to flip their shit and has vowed to never buy another 3M product over this whole thing.
    [ link to this | view in chronology ]
Andrew D. Todd, 30 Oct 2015 @ 9:27am

The Trains, As Well The Automobiles.
There was a curious story in this month's Trains Magazine (Dec 2015).

To begin with, you may know that railroad cars have RFID tags of a sort, which are used to keep track of where the cars are, and to set the switches in sorting yards, and to allow track-side defect-detectors to point to particular cars. One funny story was that when a Barnum & Bailey circus train passed a detector, the machine detected something protruding from one of the cars, and rang an alarm. It turned out that one of the elephants had stuck his nose out for a bit of fresh air. The railroad tags are of very crude design, having been standardized at an early date. Each tag consists of twenty or so tuned oscillators (either RC or LC circuits, I don't remember which), some of the oscillators being shorted out to produce a bit pattern. The system does not include any kind of encryption or anything.

Well, it seems that some mysterious strangers were caught installing a tag-reader along a main line in New Jersey. There was a certain amount of panic about how they must be terrorists, and all, but they eventually turned out to be working for an economics-research firm, which wanted inside information to bet on the oil-futures market. The reader had been installed on the railroad's land, only twenty feet from the track center. A power cord ran to a nearby house, whose owner had been paid $500, one-time, for a lease by the economic-research firm. The men from the market-research firm probably misrepresented themselves to the householder as having official business. I imagine the twenty or so resonating frequencies are reserved, so a free-lance tag-reader, which needs to transmit those frequencies, is illegal on that ground, as well as the physical trespass.

Trains reproduced a picture of the locus in quo. There seems to be a backyard swing set about 50-100 further away from the track, and there's no fence. Railroaders tend to have rather laxer standards about these kinds of things than the builders of interstate highways. At some remote date in the past, the railroad cut a slot in the hillside for the track, terminated with 45-degree embankments, and never felt compelled to do more than that,even when farms were replaced by subdivisions. There are some trees (one looks at least fifty years old), halfway up the embankment, leading to someone's back yard. Railroads have been poor for a long time, and they've gotten used to being poor, and it simply doesn't occur to them to do a lot of things which Techdirt readers might expect them to do.
[ link to this | view in chronology ]
- Anonymous Coward, 30 Oct 2015 @ 11:20am
  
  Re: The Trains, As Well The Automobiles.
  Is this some kind of copyright trap?
  [ link to this | view in chronology ]
Ticket Monster, 30 Oct 2015 @ 1:30pm

Not that hard
I work in IT. We buy network hardware from a vendor, and they made a simple change a year or two ago. When you unpack the device and turn it on for the first time, it asks you to change all the default passwords. You still log in the first time with the default they set, but before you can do anything else, you must change the default login password. It is a simple change every vendor should make.

When you power up a blank device, force a password reset.
[ link to this | view in chronology ]