In just 20 minutes this morning, the Automatic License Plate Recognition (ALPR) system in Nashville, Tennessee, was able to capture images and detailed information from nearly 1,000 vehicles as they passed. Among them: eight black Jeep Wranglers, six Honda Accords, an ambulance, and a yellow Ford Fiesta with a vanity plate.
This set of real-time vehicle data, collected by one of Motorola’s ALPR systems, should be accessible to law enforcement. However, a flaw discovered by a security researcher has exposed live video footage and detailed logs of passing vehicles, revealing the astonishing scope of surveillance enabled by this ubiquitous technology.
More than 150 Motorola ALPR cameras have exposed their video feeds and leaked data in recent months, according to security researcher Matt Brown, who first reported on the issues in a series of YouTube videos After purchasing an ALPR camera on eBay and reverse engineering it.
In addition to streaming live footage that anyone can access online, the misconfigured cameras also revealed the data they collected, including images of cars and license plate records. Real-time video and data feeds require no usernames or passwords to access.
side by side Other techniciansWIRED reviewed video feeds from several cameras, confirming that vehicle data — including makes, models, and vehicle colors — had been accidentally exposed. Motorola confirmed the exposures, telling WIRED that it is working with its customers to shut down access.
Over the past decade, thousands of ALPR cameras have popped up in towns and cities across the United States. The cameras, made by companies like Motorola and Flock Safety, automatically take photos when they detect a passing car. Police often use cameras and compiled databases to search for suspects. ALPR cameras can be placed along roads, on the dashboards of police cars, and even in trucks. These cameras capture Billions of images of cars, sometimes including bumper stickers, lawn signs, and t-shirts.
“Every one of them that I found exposed was in a fixed location on some road,” Brown, who runs the cybersecurity firm Brown Fine Security, tells WIRED. The exposed video feeds every single lane of traffic, with cars passing through the camera view. In some streams, snow is falling. Brown found two streams for each exposed camera system, one in color and one in infrared.
Generally, when a car passes an ALPR camera, a photo of the car is taken, and the system uses machine learning to extract the text from the license plate. This is stored along with details such as where the photo was taken and the time as well as metadata such as the make and model of the vehicle.
Brown says the camera feeds and vehicle data were likely exposed because they were not set up on private networks, perhaps by law enforcement agencies publishing them, and were instead viewed online without any authentication. “It is misconfigured. It should not be open on the public Internet.
WIRED tested the flaw by analyzing data streams from 37 different IP addresses apparently linked to Motorola cameras, covering more than a dozen cities across the United States, from Omaha, Nebraska, to New York City. In just 20 minutes, those cameras recorded the make, model, color and license plates of nearly 4,000 vehicles. Some cars were captured multiple times – up to three times in some cases – as they passed by different cameras.
https://media.wired.com/photos/677d3990c0bb5aebda66dbca/191:100/w_1280,c_limit/GettyImages-2191972762.jpg
Source link