License plate readers can be a security nightmare
The fact that automated license plate recognition (ALPR) systems can store data for years is apparently not the only disturbing thing about them. Some of them are exposed online and are easily accessible to anyone with an internet connection and a browser, the Electronic Frontier Foundation has confirmed. The EFF investigated over 100 cameras in five various locations across the country starting this spring and discovered that most of the vulnerable ones were manufactured by a company called PIPS, which is now owned by 3M. The degree of vulnerability differed across locations: in extreme cases, you can view the camera's live feed online and even pull up its control panel.
EFF says the first person who tipped the group about the issue is John Matherly, the person behind the connected device search engine Shodan. Matherly was able to extract as many as 64,000 license plate images for a hacking conference earlier this year -- see image below for samples -- because looking for them is as easy as plugging a few keywords into his search engine. The foundation already got in touch with the authorities of the locations it investigated, and most of them responded favorably by securing their systems.
Still, the EFF believes that "dozens of cameras [in the locations it looked into] may still be vulnerable in some form" and advises law enforcement agencies to be more vigilant if they plan to use plate readers.
It is our hope that with publication of this report, all agencies responsible for PIPS cameras, wherever they are in the country, initiate comprehensive security audits of their devices. ALPR systems are a form of mass surveillance, plain and simple. This technology captures information on every driver, regardless of whether they are under suspicion.
If law enforcement agencies are going to pursue this technology, then they should limit storage of this data to as short a time period as possible—days, not years or indefinitely, as is the current practice of many agencies. The safest policy would be to not store data unrelated to crimes at all, but only capture data on hot-listed vehicles suspected of involvement in crimes.
