EFF Discovers More Leaky ALPR Cameras Accessible Via The Web

from the more-cameras,-less-security dept

Not only are automatic license plate readers (ALPRs) in use all over the nation, but the companies behind them are less interested in securing their systems than selling their systems.

Earlier this year, EFF learned that more than a hundred ALPR cameras were exposed online, often with totally open Web pages accessible by anyone with a browser. In five cases, we were able to track the cameras to their sources: St. Tammany Parish Sheriff’s Office, Jefferson Parish Sheriff’s Office, and the Kenner Police in Louisiana; Hialeah Police Department in Florida; and the University of Southern California’s public safety department. These cases are very similar, but unrelated to, major vulnerabilities in Boston’s ALPR network uncovered in September by DigBoston and the Boston Institute for Nonprofit Journalism.
The earlier investigative work mentioned by the EFF has been spearheaded by Kenneth Lipp, who has exposed several insecure camera systems run by private contractors but deployed by government agencies. Lipp has also uncovered unsecured law enforcement CCTV systems in other major cities, including New York's Domain Awareness System, where feeds could be easily accessed via the internet.

The systems the EFF accessed are sold and maintained by PIPS Technology. The EFF was able to access several stationary ALPR cameras and view live captures of plate data.

The company, now owned by 3M, offered this statement when notified of the security hole.
We cannot comment on issues PIPS may have had prior to the acquisition, but I can tell you any issues with our products are taken very seriously and directly addressed with the customer.

We stand behind the security features of our cameras. 3M’s ALPR cameras have inherent security measures, which must be enabled, such as password protection for the serial, Telnet and web interfaces. These security features are clearly explained in our packaging.
Except, of course, the EFF's discoveries came after 3M's acquisition of PIPS. While the holes the EFF uncovered have been closed, 3M (and other companies) have pretty much declared unsecured ALPR cameras to be Not Their Fault. Over the years, researchers and activists (like Dan Tentler) have received a variety of deflections from ALPR companies.
3M spokeswoman Jacqueline Berry noted that Autoplate's systems feature robust security protocols, including password protection and encryption. They just have to be used.

"We're very confident in the security of our systems," she said.
That would mean something if the companies simply sold the software and hardware. But the companies also have direct access to client connections and should be able to check for unprotected sources. But they don't and when confronted, they blame the end user. When Kenneth Lipp went public with his discoveries, he received this answer from Genetec, which ran the systems he was able to access.
On the ALPR front, Genetec shirks all responsibility for the aforementioned open portal, even though a remote desktop client terminal, which was also left exposed, shows they had direct access. Reached by email for this story, the company’s Vice President of Marketing and Product Management Andrew Elvish wrote that the server in question was a “location used by a customer to transfer data to be used in a parking or law enforcement patrol car, equipped with a Genetec system.” The data, Elvish added, was “not gathered by a Genetec AutoVu ALPR system … [which is] automatically encrypted.”
As far as the contractors are concerned, the problem is law enforcement agencies who are deploying the cameras and systems without implementing built-in security features. And while the agencies involved quickly closed the security holes, it doesn't change the fact that these systems went live while they were still unsecured. This could be chalked up to carelessness, but it could also be another indication of how little most agencies (and the companies who sell to them) care about the millions of people who aren't cops/government contractors. In their minds, the important thing is that the systems went live and started contributing to vast plate/location databases. Properly securing systems is still an afterthought.

Filed Under: alpr, license plate readers, security
Companies: 3m, eff, pips

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Andrew D. Todd, 30 Oct 2015 @ 9:27am

    The Trains, As Well The Automobiles.

    There was a curious story in this month's Trains Magazine (Dec 2015).

    To begin with, you may know that railroad cars have RFID tags of a sort, which are used to keep track of where the cars are, and to set the switches in sorting yards, and to allow track-side defect-detectors to point to particular cars. One funny story was that when a Barnum & Bailey circus train passed a detector, the machine detected something protruding from one of the cars, and rang an alarm. It turned out that one of the elephants had stuck his nose out for a bit of fresh air. The railroad tags are of very crude design, having been standardized at an early date. Each tag consists of twenty or so tuned oscillators (either RC or LC circuits, I don't remember which), some of the oscillators being shorted out to produce a bit pattern. The system does not include any kind of encryption or anything.

    Well, it seems that some mysterious strangers were caught installing a tag-reader along a main line in New Jersey. There was a certain amount of panic about how they must be terrorists, and all, but they eventually turned out to be working for an economics-research firm, which wanted inside information to bet on the oil-futures market. The reader had been installed on the railroad's land, only twenty feet from the track center. A power cord ran to a nearby house, whose owner had been paid $500, one-time, for a lease by the economic-research firm. The men from the market-research firm probably misrepresented themselves to the householder as having official business. I imagine the twenty or so resonating frequencies are reserved, so a free-lance tag-reader, which needs to transmit those frequencies, is illegal on that ground, as well as the physical trespass.

    Trains reproduced a picture of the locus in quo. There seems to be a backyard swing set about 50-100 further away from the track, and there's no fence. Railroaders tend to have rather laxer standards about these kinds of things than the builders of interstate highways. At some remote date in the past, the railroad cut a slot in the hillside for the track, terminated with 45-degree embankments, and never felt compelled to do more than that,even when farms were replaced by subdivisions. There are some trees (one looks at least fifty years old), halfway up the embankment, leading to someone's back yard. Railroads have been poor for a long time, and they've gotten used to being poor, and it simply doesn't occur to them to do a lot of things which Techdirt readers might expect them to do.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.