In a revealing incident, an automated license-plate-recognition (ALPR) system in Nashville collected detailed data from nearly 1,000 vehicles within just 20 minutes. This system, originating from Motorola, is designed to assist law enforcement in tracking vehicles. However, a security researcher uncovered a significant flaw that exposed live video feeds and data regarding the vehicles captured, highlighting the extensive surveillance enabled by this technology.
Researcher Matt Brown reported that over 150 Motorola ALPR cameras have inadvertently published their video feeds online. By purchasing and reverse engineering an ALPR camera from eBay, Brown identified this vulnerability. The misconfigured systems allowed anyone access to the live streams and logs of license plates without any authentication.
Brown collaborated with other technologists to assess the data, confirming that makes, models, and colors of vehicles were accessible. Motorola acknowledged the exposure and stated that it is working to secure these vulnerable systems with its clients.
ALPR cameras, now commonplace in numerous U.S. cities, automatically capture photographs of passing vehicles, storing crucial data that law enforcement can reference in investigations. However, the surveillance implications and potential abuses of this data raise profound concerns.
Brown’s investigation revealed that the cameras were often misconfigured, exposing their feeds to the public internet instead of being secured on private networks. He found that 37 different IP addresses linked to Motorola cameras were publicly accessible across various cities, capturing details of nearly 4,000 vehicles in just 20 minutes during testing.
Motorola confirmed some systems were exposed due to customer-modified configurations and stated plans to strengthen security measures in future firmware updates. Critics like Cooper Quintin from the Electronic Frontier Foundation expressed that such issues breach public trust, asserting that police should not gather these types of data without stringent scrutiny and active investigations.
Brown’s discovery of exposed camera data stemmed from specific unique error messages visible on the devices, leading him to identify potential vulnerable IP addresses across the internet through scanning tools. The implications of ALPR usage, especially regarding how long data is retained and privacy risks, have ignited discussions among civil liberties groups and lawmakers.
In New Hampshire, for instance, there are tighter regulations stipulating that data collected by ALPR cameras must be deleted within three minutes, highlighting the need for stricter oversight in managing this surveillance technology.
As public debate surges over the balance between safety and privacy, the use of ALPR systems continues to raise pressing questions about their role in modern law enforcement and the inherent risks they pose to civil liberties.
