Live feeds from license plate readers exposed online

The cameras of more than 100 automated license plate readers have been streaming live on the web, “often with totally open Web pages accessible by anyone with a browser,” the Electronic Frontier Foundation (EFF) said in a new report released last week.

The EFF says it learned about the lack of security around these cameras earlier this year and has for 5 months been working with the police and public safety departments to which it’s managed to track the cameras.

Those departments are in the states of Louisiana, Florida and California: St. Tammany Parish Sheriff’s Office, Jefferson Parish Sheriff’s Office, and the Kenner Police in Louisiana; Hialeah Police Department in Florida; and the University of Southern California’s public safety department.

The good news: all the Louisiana agencies and the University of Southern California (USC) have now taken action to secure the systems, the EFF says.

The bad news: the researchers who first tipped off the EFF have found plenty of other vulnerable cameras in Washington, California, Texas, Oklahoma, Louisiana, Mississippi, Alabama, Florida, Virginia, Ohio, and Pennsylvania – with the largest cluster being in southeastern Louisiana.

The systems in question, automated license plate recognition systems (ALPR, or simply LPR), are networks of cameras that capture images of every passing car and record data on each car’s license plate number, along with its driver’s movements, including time, date, and location where the vehicle was photographed.

The cameras are often mounted on patrol cars.

They’re also sometimes mounted on stationary structures alongside roads, such as light poles and traffic signals – the kind of camera that a New Yorker rendered (temporarily) useless by pushing it skyward with a painter’s pole and a couple of tennis balls in August 2015.

The systems alert police when they recognize a car that’s stolen or believed to be tied to criminal activities.

But even if a license plate number doesn’t show up on that “hot list,” its data is still recorded. ALPRs collect data on all cars, not just those being driven by suspects.

That means that the information collected – data that can be retained for years – mostly pertains to innocent people, the EFF notes:

Even if a vehicle isn’t involved in a crime, data on where it was and when may be stored for many years, just in case the vehicle later comes under suspicion. Consequently, a breach of an ALPR system is a breach of potentially every driver’s travel history.

Who tipped off the EFF

The genesis of the unsecured LPR systems report is in what researchers a few years ago mistakenly thought were hundreds of red-light cameras, spread throughout the US, that were connected to the Internet without any security measures in place.

The EFF says that when it started to drill down into the data earlier this year, it found that the systems weren’t red-light cameras after all. Rather, they were ALPRs being used in ongoing police dragnets.

The trail led to PIPS camera systems connected to the Internet, “often with control panels open and completely accessible through a Web browser,” the EFF says.

They were sold by a company called PIPS Technology that was bought by 3M.

Prior to the 3M purchase, PIPS bragged of installing more than 20,000 cameras around the globe.

John Matherly, the security specialist behind Internet of Things search engine/scanner/catalog Shodan, presented his findings about the unsecured cameras at security conferences, along with his colleague Dan Tentler.

The EFF’s description of what you could see if you knew where to look:

In some cases, anyone could open a window and view a camera’s live video stream and witness the plate captures in real time. There was essentially nothing to stop someone from siphoning off the stream of ALPR data in transmission or potentially controlling the cameras. The agencies that ostensibly controlled the ALPR systems hadn’t even put in place warning language about unauthorized access to the systems.

3M initially balked at accepted responsibility when CNN contacted the company about the issue in 2013.

From CNN:

3M spokeswoman Jacqueline Berry noted that Autoplate's systems feature robust security protocols, including password protection and encryption. They just have to be used.

"We're very confident in the security of our systems," she said.

Researchers kept exploring what could be done with the Internet access to the LPR systems.

Researcher Darius Freamon found that you could access the control panels via Telnet and generate statistics about plate captures. A team of scientists at the University of Arizona subsequently built on his work, finding vulnerable cameras spread throughout the country.

What the Arizona researchers found they could do:

We were able to observe the number plate information and live images. We were also able to modify the configuration settings.

After the EFF started to explore the issue this year, this is the statement that 3M sent to the group:

We cannot comment on issues PIPS may have had prior to the acquisition, but I can tell you any issues with our products are taken very seriously and directly addressed with the customer. We stand behind the security features of our cameras.

3M’s ALPR cameras have inherent security measures, which must be enabled, such as password protection for the serial, Telnet and web interfaces. These security features are clearly explained in our packaging.

Matherly when on to present at the Hack in the Box conference about how he easily siphoned 64,000 plate images and corresponding locational data points from the cameras over the course of one week.

Before the EFF published its findings, it gave government agencies time to fix what it called these “gaping holes” in security.

At this point, it published an interactive map showing the location of about 40 ALPR cameras, based on information contained in each camera’s configuration, along with a sample of what information it was able to view, with plate numbers redacted to protect the privacy of the drivers.

All that data doesn’t solve many crimes

Previous research done by Ars Technica has shown that LPR data is scarcely relevant to actually solving crimes.

That’s what the publication found when reporter Cyrus Farivar requested, and obtained, the entire LPR dataset of the police department of Oakland, California (OPD) – including more than 4.6 million reads of over 1.1 million unique plates captured in just over 3 years.

Ars found that the OPD’s “hit rate” of reading license plates of people who are actually under suspicion was a paltry 0.16%.

The power of aggregating all that data

As Naked Security often stresses in our reporting about Big Data, what’s particularly worrisome is not an individual record of, say, our car’s location at a particular date and time (though even that subset of data is still a concern if it shows where we hang out).

Seemingly innocuous pieces of discrete data – i.e., where your license plate was and when – manifest into something entirely different when amassed in huge data sets and cross-correlated, given that your plate number stays constant while your location changes.

While one data point about a license plate could – and has – been used to do things such as track fugitives or solve a gang-related homicide, there’s no saying what the government can do with massive amounts of correlated data spanning years of collection, the vast majority of which has been surveilled from innocent people who aren’t breaking any laws.

As a group of MIT graduate students outlined in this paper (PDF), even supposedly vague/imprecise/anonymized data can tell who’s who once a given data set gets big enough.

Or, the EFF says:

Depending on how much data has been collected, this information in aggregate can reveal all sorts of personal information, including what doctors you visit, what protests you attend, and where you work, shop, worship, and sleep at night.

The upshot: how these findings have already affected legislation

The EFF notes that it’s used its research to inform ALPR-related legislation in Louisiana and California.

Louisiana had been considering a statewide ALPR network to identify uninsured motorists. After the EFF told Governor Bobby Jindal that the state hasn’t managed to prove that it can secure the system it already has, let alone make it more massive, the governor vetoed the bill.

Jindal:

Camera programs such as these make private information readily available beyond the scope of lawn enforcement, pose a fundamental risk to personal privacy and create large pools of information belonging to law abiding citizens that can be extremely vulnerable to theft of misuse.

The EFF also wrote a letter in support of Californian Senate Bill 34, which now classifies ALPR data as “personal information” under the state’s data breach notification laws, requiring both private and public ALPR operators to publicly post detailed usage and privacy policies, and requires operators to keep the systems secure by maintaining…

reasonable security procedures and practices, including operational, administrative, technical, and physical safeguards, to protect ALPR information from unauthorized access, destruction, use, modification, or disclosure.

Image of Old car license plates courtesy of Leonard Zhukovsky / Shutterstock.com