Researcher Buys Axon Cameras On eBay, Finds They're Still Filled With Recordings

from the not-even-using-'password'-for-the-password dept

Data isn’t secure just because nothing happened to it when it was still in your possession. It can still “leak” long after the storage device has gone onto its second life in someone else’s hands.

The Fort Huachuca Military Police were just apprised of this truism by Twitter user KF, who had purchased some used Axon body cameras on eBay. The cameras still contained their microSD storage cards. And contained on those storage cards were a bunch of recordings (including audio) that hadn’t been wiped by the MPs before the cameras ended up on eBay.

The whole thread is worth a read (here’s an unrolled version if you prefer to go somewhere other than Twitter). No one seems to know how the cameras ended up on eBay, but it’s pretty amazing they ended up in the secondary market with their recordings still intact.

What’s more amazing (but somehow simultaneously less surprising) is that the recordings weren’t encrypted or protected by a password. Axon responded to the Arizona Mirror’s reporting of this secondary-market breach by saying it was “looking into the matter.” It also said it would be putting more effort into telling its law enforcement customers what they should already know.

“We are… reevaluating our processes to better emphasize proper disposal procedures for our customers.”

What’s more reassuring is that this data disposal carelessness is no longer as much of an issue for Axon customers. The cameras in KF’s hands are first-generation models produced in 2015. Axon’s latest version encrypts recordings and, presumably, forces officers to select passwords to ensure this encryption isn’t rendered useless by a lack of login protection.

eBay also responded to questions from the Mirror, stating that it forbids the sale of surveillance devices like the ones KF was able to purchase. It also said sellers are responsible for making sure internal storage is wiped before making devices eBay says it does not allow to be sold on the site are made available for sale on the site.

Security matters. But situations that demand the utmost in care are too often handled in ways that an octogenarian using their first computer ever would find amateurish. KF’s site contains this amusing/scary security test of police in-car camera systems — cameras the researchers were able to view live after discovering zero authentication was needed to access this stream. And the system itself was only “protected” by the default login/password, which the researchers found in a PDF copy of the device’s manual after a little bit of Googling.

For all the talk from law enforcement officials about the need to redact and/or withhold recordings out of concern for people’s privacy, they don’t seem to be very concerned that these recordings are ending up in the hands of the public. Nor does there seem to be much concern that recordings might be improperly accessed by other personnel with access to the devices while the cameras were still being used by the Fort Huachuca police. The lack of password protection is just as alarming as the apparent lack of proper disposal procedures. This is consumer-grade carelessness exercised by a taxpayer-funded entity with a whole lot of power and the obligation to be better public servants.

Filed Under: , , , , ,
Companies: axon, ebay

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Researcher Buys Axon Cameras On eBay, Finds They're Still Filled With Recordings”

Subscribe: RSS Leave a comment
15 Comments
Anonymous Coward says:

Axon’s latest version encrypts recordings and, presumably, forces officers to select passwords to ensure this encryption isn’t rendered useless by a lack of login protection.

Passwords would be the wrong way to handle this. We certainly shouldn’t be relying on each officer to select a good password. It should be the department enrolling the cameras in some public-key infrastructure. I see no reason why the cameras or individual officers should be able to read the stored data at all.

Anonymous Coward says:

Re: Re:

I see no reason why the cameras or individual officers should be able to read the stored data at all.

Presumably, they already know what’s on it. From a security perspective, it’s pointless and a waste of effort to hide known data from them.

As for protecting the recordings from them, you’re running head first into the DRM problem. These things are, presumably, on their person constantly. In some cases the devices are allowed to be taken home after work. (See also any cop who takes home the squad car.) It’s only a matter of time before some smart cow figures out how to open the greatest and most secure gate latch without alerting the farmer. (Yes, the cops have these people too. Just like the gamers in the video game industry have their hackers.) Simply put, you can’t protect it indefinitely from an authorized carrier while it’s in their sole possession.

The best protection in this case is multiple location off-site storage of the complete feeds, and a complete rejection of all evidence by the courts if the camera footage can only be found on the camera itself. With harsh penalties for any discrepancies found between copies of the camera feeds. That way it places a verification requirement on them, ensuring that there is at least two good copies of the original feeds to corroborate with, and provides a strong incentive not to alter it. (No multiple identical feeds? No case.)

Anonymous Coward says:

Re: Re: Re:

Presumably, they already know what’s on it. From a security perspective, it’s pointless and a waste of effort to hide known data from them.

As for protecting the recordings from them

The point would not be to protect the data from the cops, but to avoid compromising the security by designing a local access method. If they want access to the footage, they can go through the official police system which will have an audit trail.

It’s easy to design camera software that randomly generates a key every few minutes, encrypts that key to a public key, and throws it away afterward. It would take extra effort to give the camera operator a way to review old footage—eg. you’d have to give them a password, which means you’d have to enforce password security, wipe the passwords when selling the devices, make sure there are protections to stop criminals from grabbing cameras while unlocked or forcing cops to unlock them, etc.

David says:

Probably mischaracterised

If I rmember correctly from reading the report first, card content was deleted but cards were not wiped. Namely any software used for recovering accidentally deleted files from a media card would be able to recover stuff as long as it has not been overwritten.

That’s sort of a side point. The principal problem is not that the person reselling the device did not follow best practices. The principal problem is that the only entity able to resell devices possibly used in sensitive circumstances should be a trained unit. Either that, or security sensitive devices must be designed in a manner where the data on them, even if not tampered with in any manner, is completely unusable to any outside party.

Anonymous Coward says:

Re: Probably mischaracterised

Either that, or security sensitive devices must be designed in a manner where the data on them, even if not tampered with in any manner, is completely unusable to any outside party.

Let us know when you solve the halting problem then. (Given a set of inputs if / when will this data be breached?)

The best practice here would be to make wiping the data correctly part of the default process. I.e. Pressing "Delete" from the file manager shouldn’t just unlink a file as per normal systems. "Deleting" should overwrite first, then unlink the file, then overwrite the filesystem metadata, all in one go. Deleting should also prohibit reuse of the media until that process is completed successfully, or the media gets completely re-initialized.

Doing that won’t prevent all breaches, of course, but it would cut down on the number of failure points. Especially those that can be stumbled on by a clueless, or careless, layman.

David says:

Re: Re: Probably mischaracterised

> Either that, or security sensitive devices must be designed in a manner where the data on them, even if not tampered with in any manner, is completely unusable to any outside party.

Let us know when you solve the halting problem then. (Given a set of inputs if / when will this data be breached?)

Last time I looked, public key cryptography exists.

Anonymous Coward says:

Re: Re: Probably mischaracterised

Pressing "Delete" from the file manager shouldn’t just unlink a file as per normal systems. "Deleting" should overwrite first, then unlink the file, then overwrite the filesystem metadata, all in one go.

That’s not good enough when flash translation layers are involved. There’s literally no standard way to access a particular physical block of a flash device. If you fill block 123 with zeros, the original content may remain on the device. (With no standard way to access it, of course; but attackers can abuse non-standard quirks in ways that would be unrealistic for manufacturers.)

If you’re lucky, the flash device has some kind of "wipe" command. If you’re really lucky, it’s actually secure. But we can’t rely on having so much luck that nobody ever loses these things without a chance to wipe them first. As David says, encryption is the real answer.

Bartonlpv (user link) says:

latin women

Low calorie alcoholic drink that needs to be on your radar

hard seltzers, The trend that started as a trickle has now [url=https://www.love-sites.com/signs-that-you-can-recognise-when-a-vietnamese-lady-is-into-you/%5Dhow to tell if a vietnamese woman likes you[/url] became a full on torrent, Winning fans who are trying to find a smarter, Cleaner way to watch a drink. If you have not heard about them already, We’re willing to bet you know a student.Long favoured by our American friends new home buyers pond, The drinks made landfall in the UK some time ago and are making a beeline for your fridge and picnic cooler in 2022.the definition of hard seltzers?Not to be confused with cocktails in a can like a gin in a tin, The short answer is that difficult seltzers are sparkling flavoured water. ‘Hard’ refers to added alcohol content ordinarily a slug of distilled vodka or gin.The low-calorie, Low sugar serves are great for those watching their intake, And as they will be mostly flavoured water, They won’t leave the inside your mouth feeling like it’s been coated in sugar. ABVs sit in your own four per cent mark, Around half that of canned beverage. a written report by London based brand DRTY found nearly half (46 percent) Of the UK’s cocktail people, are sure to try hard seltzers, together with 39 per cent of spirit drinkers. The data expected 13.7m the capacity hard seltzer drinkers in the UK.The estimations have been realised. Whole Foods reported a whopping 150 per cent increase in hard seltzer sales in March 2021 when compared to the same time last year. Nicole Casey, Regional Product advisor, left a comment: "We believed the rise of the Hard Seltzer trend back in our trend report in 2018, With brands such as White Claw extending over into the UK. since then, We’ve stocked three hard seltzer brands across our seven London stores and are looking to expand by 50 per cent by the end of the year,sales is reportedly already worth 10m in the UK, And all signs point to it growing flip flops 2021 rolls on.Big in the states, Now breaking into BritainThough they’ve been big business in America for a while, It’s not just Stateside brands creating them here in the UK. homegrown labels are joining the party too. BrewDog delivered Clean Press Hard Seltzers in June 2020, And have since sold 60k cases across three flavors, Proving their popularity even dealing with the pandemic.are they all so popular? Steven Kersley, Head of Distilling at BrewDog Distilling Co shows: "Many RTDs are seasonal and they tend to accomplish better in good weather. Hard seltzers fill the gap for people year round as they cater for those uncover lower sugar, Lower alcohol drinks whatever the weather. We see hard seltzers filling the gap between mocktails and cocktails,nick Graham, Co founder of Berczy Hard Seltzers agrees: "Hard seltzers sit between the two [Low/no and high ABV], Attracting a wide market who still want to drink, But not likewise they did before,the center ground never felt so refreshing.a good, health-conscious wave of drinkersMillennial and Gen Z drinkers are leading the charge for hard seltzers, states co founder of Long Shot drinks, George Blurton: "The hard seltzer movement is being thrust into the limelight by a younger, More health conscious generation, Who have grown up with a much superior ‘low/no’ mentality. While not theoretically low ABV, They are low in the areas (sugar, calories, carbs etc) So can tap into this market as well. Younger consumers are much more questioning about what they’re putting into their bodies, Seeing greater requirement for ancillary benefits, Like at the moment vegan or gluten free. Hard seltzers with their relatively ‘clean’ ingredients list appeal to this mindset,The UK’s hard seltzer trend is here to stay, verifies James Law, Brand progression Director at East London Liquor Company. "There’s a group of younger consumers who are looking for drinks that are lower in sugar and fit their health-conscious lifestyle,in order that, All the a ‘proper drink’, With none of the FOMO. properly as, Less sugar and a lower ABV means less chance of a sore head each and every morning. Hard seltzers assist you join the party without risking your health, fitness goals or leaving your liver feeling like it’s done ten rounds in a ring. It’s mindful taking in at its best.Ready to break into open a cold one? Here are the hard seltzer brands you wish on your radar.Kopparberg Hard SeltzersThe Swedish wines brand, most famous for its sweet fruit ciders, is certainly keeping thirsty customers on their toes, Adding gins and vodka to its repertoire in the. It jumped on the seltzer train early, featuring RTD 330ml cans in flavours like Passionfruit, Mixed Berry and Dark Cherry packed into colourful ombre effect packing and shipping. relaxing with a tart berry twang, They’ll go down a treat at a BBQ. Gluten free, And vegan useful.2.20 TescoAlso available at AsdaWhite Claw Hard Seltzer(vivid Claw)At 95 meals per 330ml, White Claw is famous in the US and an easy sell anybody watching their waistline this summer. manufactured with 4.5 percent ABV, The range consists of natural flavours like black cherry, raspberry, Lime and pear, All combined with a triple distilled spirit for added buzz. Named for the crest of a wave when it crashes, We found the drinks sumptuous, Tasty and a finding their way back addition to our fridge.
[—-]

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...