This can’t be a good day for Miami police.
We’ve known for a while that many webcams are a security train wreck, and that doesn’t change just because a police officer straps one on.
Now, unsurprisingly, police body cam footage has been found sloshing around online.
It’s not just that about a terabyte of videos from Miami Police Department body cams was leaked and stored in unprotected, internet-facing databases, according to the security outfit that found them. It’s that they were leaked and then sold, according to Jason Tate, CEO of Black Alchemy Solutions Group, who told The Register that his team had found the footage listed for sale on the darkweb.
Both- leaked and sold and still shared right now on a public server belonging to MiamiPD
— Cyber Intelligence Done, Intelligently (@bitsdigits) July 1, 2019
Tate first tweeted about the discovery on Saturday, including a sample video, which has since been removed.
Tate said that the data is coming from five different cloud service providers. Besides Miami Police, there’s video leaking from city police departments “all over the US”, he said.
It seems these 5 providers have city contracts all over.
Known security SNAFUs
Last August, a security researcher – Josh Mitchell, a consultant at security firm Nuix – analyzed bodycams from five vendors that sell to US law enforcement agencies. He spotted vulnerabilities in several popular brands that could place an attacker in control of a camera and tamper with its video.
Mitchell found that the lack of security in the police bodycams included broadcasting of unencrypted, sensitive information about the device that could enable an attacker with a high-powered directional antenna to snoop on devices and gather information including their make, model, and unique ID. That information could lead to police getting stalked, since an attacker could track an officer’s location or to even suss out when multiple police officers are coordinating a raid, Mitchell told a DefCon audience at the time.
Mitchell also found that some cameras include their own Wi-Fi access points but don’t secure them properly. An intruder could connect to one of these devices, view its files and even download them, he warned. In many cases, the cameras relied on default login credentials that an attacker could easily bypass. This could lead to attackers tampering with evidence by replacing it with convincing deepfake footage. (That’s just one example of why the US Defense Advanced Research Projects Agency (DARPA) has been studying the problem of detecting deepfakes.)
Tate is well aware of the potential for evidence tampering. When somebody on Twitter pointed out that the footage and its associated metadata are “largely public records,” he said he knows that. That doesn’t mean it won’t lead to problems in evidence integrity, though, he said:
Sure do!! But when it's mismanaged not redacted and without auth it makes for a field day in case evidence integrity amongst other things
— Cyber Intelligence Done, Intelligently (@bitsdigits) July 1, 2019
Miami Police Department must have felt the same way, since it looks like the department’s admins removed the videos from public access after Tate notified them about his findings. But it was publicly accessible for at least a number of days, he told The Register. That gave ample opportunity for hackers to copy videos from the databases and potentially sell them.
A spokesperson for Miami PD told The Register that the department is still looking into the claims and wouldn’t comment until it completed its review.