Researcher Says Police Body Cameras Are An Insecure Mess

from the internet-of-cop-things dept

Wed, Aug 22nd 2018 3:33pm — Tim Cushing

The promise of transparency and accountability police body cameras represent hasn't materialized. Far too often, camera footage goes missing or is withheld from the public for extended periods of time.

So far, body cameras have proven most useful to prosecutors. With captured footage being evidence in criminal cases, it's imperative that footage is as secure as any other form of evidence. Unfortunately, security appears to be the last thing on body cam manufacturers' minds.

Josh Mitchell, a consultant at the security firm Nuix, analyzed five body camera models from five different companies: Vievu, Patrol Eyes, Fire Cam, Digital Ally, and CeeSc. The companies all market their devices to law enforcement groups around the US. Mitchell's presentation does not include market leader Axon—although the company did acquire Vievu in May.

In all but the Digital Ally device, the vulnerabilities would allow an attacker to download footage off a camera, edit things out or potentially make more intricate modifications, and then re-upload it, leaving no indication of the change. Or an attacker could simply delete footage they don't want law enforcement to have.

This is already bad news. We've already seen some evidence that officers have altered/destroyed footage. This attack vector allows almost anyone to do the same thing, all without leaving a trace of intrusion. But the flaws run deeper than this. According to Mitchell's research, some cameras can have their signals intercepted, allowing criminals to locate law enforcement officers or simply eavesdrop on recordings as they occur. It's not just a matter of criminals eluding cops. Hijacking signals obviously has a serious impact on officer safety.

And this is only the problem created by the cameras themselves. Every camera has to interact with another computer system to upload footage. In many cases, they're linked to cloud services as well, which introduce further vulnerabilities. Attackers could use body cams to deliver malicious payloads to law enforcement computer systems or the cloud services used to store recordings.

But underneath everything else runs this crucial part of the justice process: footage is evidence and evidence must be kept intact. Cameras and camera services simply aren't doing enough to prevent evidence tampering. The chain of evidence is relied on to ensure its integrity, but until these vulnerabilities are removed, body cam footage may as well be hearsay.

The bodycams don't have a cryptographic mechanism to confirm the validity of the video files they record either. As a result, when the devices sync with a cloud server or station PC, there's no way to guarantee that the footage coming off the camera is intact. "I haven’t seen a single video file that’s digitally signed," Mitchell says.

The good news is companies were alerted before Mitchell went public with his Defcon presentation. Most are implementing fixes, although a couple of smaller manufacturers refused to comment on the issues. The bad news is these fixes shouldn't have been necessary. The cameras and the services they rely on were put into service without many of these considerations being taken seriously. It appears they're no more secure than an off-the-shelf $30 webcam, even though they're only being sold to law enforcement agencies.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: accountability, body cameras, police, security, transparency

12 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Anonymous Coward (profile), 22 Aug 2018 @ 3:53pm

What good are the cameras when they can't be believed
Great. Now, not only can the police edit things to make them look how they wan't (so long as they don't get physically caught as some have) but others can help with the editing. If the video shows something the cops don't like, they can claim some hacker fixed it to make them look bad. If it shows something they do like, they don't even have a proper chain of evidence (one that shows no tampering) to make it legitimately court worthy.

On top of that, they send out signals that let bad guys track them, supporting their fear of their own shadows rhetoric. Expect them to argue to have the cameras removed for this.

All of this is beside the point that the cops want to keep what should be public information private. Obscuring their embarrassment is more important than justice.
[ link to this | view in chronology ]
- Anonymous Anonymous Coward (profile), 22 Aug 2018 @ 5:14pm
  
  Re: What good are the cameras when they can't be believed
  I should add that digital photography amended by Photoshop or GIMP or whatever for artistic purposes is a good thing. When they are supposed to be documenting actual happenings for evidence in court, not so much.
  
  Some police appear to be conflicted about the difference. They seem to think that 'producing' their version is the right thing to do. Get the bad guys. Make the quota. This does not work for the innocent, and innocent until proven guilty (with actual, real evidence) is what justice is supposed to be about. Not getting bad guys, or making quotas.
  [ link to this | view in chronology ]
  - Anonymous Coward, 23 Aug 2018 @ 7:08am
    
    Re: Re: What good are the cameras when they can't be believed
    Q: Is presenting false witness in a court of law illegal? Will such things get one in trouble?
    
    A: It depends.
    [ link to this | view in chronology ]
Beta (profile), 22 Aug 2018 @ 3:57pm

market forces
These systems are designed to be sold to Law Enforcement.

There isn't much point in spending development money guarding against threats the customer doesn't understand.

And the fact that the records can be altered by the person in control of the hardware sounds like a major selling point.
[ link to this | view in chronology ]
Pixelation, 22 Aug 2018 @ 8:10pm

No
Some of the police using them are a mess.
[ link to this | view in chronology ]
- Thad (profile), 23 Aug 2018 @ 10:16am
  
  Re: No
  The two things are not mutually exclusive.
  [ link to this | view in chronology ]
That Anonymous Coward (profile), 22 Aug 2018 @ 8:29pm

Bodycams.... quickly becoming bite mark forensics, knowing which head scratching person is a terrorist, and helping evidence be created.

Getting the contract was more important than building a device that kept an accurate record of incidents.
[ link to this | view in chronology ]
- Anonymous Coward, 23 Aug 2018 @ 7:09am
  
  Re:
  " an accurate record of incidents."
  
  Because that is not what they are interested in I guess.
  [ link to this | view in chronology ]
Uriel-238 (profile), 22 Aug 2018 @ 10:06pm

I am really not surprised...
Given the state of the rest of the Internet-Of-Things industry.

Has there been any improvement? A Nest device? A Barbie doll? Anything?
[ link to this | view in chronology ]
DannyB (profile), 23 Aug 2018 @ 6:18am

It is not necessary to tamper with evidence
The mere vulnerability is all that is needed. In practice, it won't be necessary to tamper with evidence. All you need is to create doubt about whether the police beating then killing a handcuffed suspect can be believed. As covered previously on TD, some courts already believe police testimony above what video evidence clearly shows.
[ link to this | view in chronology ]
Anonymous Coward, 25 Aug 2018 @ 10:41pm

In the age of the surveillance state, where the common people are tracked in public, at work and on the internet...police it seems are not.
[ link to this | view in chronology ]
- Uriel-238 (profile), 26 Aug 2018 @ 12:31am
  
  In our surveillance state
  In the age of the surveillance state, where the common people are tracked in public, at work and on the internet...police it seems are not.
  
  Not by their own, at any rate. They're being tracked as the rest of us when they are engaged in ordinary civilian activities and using their own electronics.
  
  I suspect if the espionage sector developed an antagonistic interest in the law enforcement sector they'd be tracked plenty.
  
  But yes, as for self-monitoring, we've long established the police cover each other's asses to much to concern themselves with proper conduct.
  [ link to this | view in chronology ]