from the not-even-using-'password'-for-the-password dept
Data isn’t secure just because nothing happened to it when it was still in your possession. It can still “leak” long after the storage device has gone onto its second life in someone else’s hands.
The Fort Huachuca Military Police were just apprised of this truism by Twitter user KF, who had purchased some used Axon body cameras on eBay. The cameras still contained their microSD storage cards. And contained on those storage cards were a bunch of recordings (including audio) that hadn’t been wiped by the MPs before the cameras ended up on eBay.
Annnnnd this is me shitting my pants as I listen to extracted evidence video from this @axon_us camera sold on eBay? (in bulk lots!) Time to buy em up before they disappear! Collect you some evidence! pic.twitter.com/thZTrBCkui
— KF (@d0tslash) July 1, 2020
The whole thread is worth a read (here’s an unrolled version if you prefer to go somewhere other than Twitter). No one seems to know how the cameras ended up on eBay, but it’s pretty amazing they ended up in the secondary market with their recordings still intact.
What’s more amazing (but somehow simultaneously less surprising) is that the recordings weren’t encrypted or protected by a password. Axon responded to the Arizona Mirror’s reporting of this secondary-market breach by saying it was “looking into the matter.” It also said it would be putting more effort into telling its law enforcement customers what they should already know.
“We are… reevaluating our processes to better emphasize proper disposal procedures for our customers.”
What’s more reassuring is that this data disposal carelessness is no longer as much of an issue for Axon customers. The cameras in KF’s hands are first-generation models produced in 2015. Axon’s latest version encrypts recordings and, presumably, forces officers to select passwords to ensure this encryption isn’t rendered useless by a lack of login protection.
eBay also responded to questions from the Mirror, stating that it forbids the sale of surveillance devices like the ones KF was able to purchase. It also said sellers are responsible for making sure internal storage is wiped before making devices eBay says it does not allow to be sold on the site are made available for sale on the site.
Security matters. But situations that demand the utmost in care are too often handled in ways that an octogenarian using their first computer ever would find amateurish. KF’s site contains this amusing/scary security test of police in-car camera systems — cameras the researchers were able to view live after discovering zero authentication was needed to access this stream. And the system itself was only “protected” by the default login/password, which the researchers found in a PDF copy of the device’s manual after a little bit of Googling.
For all the talk from law enforcement officials about the need to redact and/or withhold recordings out of concern for people’s privacy, they don’t seem to be very concerned that these recordings are ending up in the hands of the public. Nor does there seem to be much concern that recordings might be improperly accessed by other personnel with access to the devices while the cameras were still being used by the Fort Huachuca police. The lack of password protection is just as alarming as the apparent lack of proper disposal procedures. This is consumer-grade carelessness exercised by a taxpayer-funded entity with a whole lot of power and the obligation to be better public servants.