Real-Time Video Feeds and Vehicle Data from License Plate Readers Are Being Exposed

An automated license-plate-recognition (ALPR) system in Nashville, Tennessee, has come under scrutiny after a security researcher revealed significant vulnerabilities that expose vast amounts of live vehicle data. Over a brief span of 20 minutes, the ALPR system captured photographs and detailed information of nearly 1,000 vehicles, including various makes and models, such as black Jeep Wranglers, Honda Accords, and even an ambulance. This incident underscores the growing concerns surrounding privacy and data security in surveillance technologies.

The ALPR system in question, developed by Motorola, is designed primarily for law enforcement agencies, providing them with real-time access to vehicle data. However, a flaw discovered by researcher Matt Brown has led to the exposure of live video feeds and historical records of vehicles captured by more than 150 ALPR cameras. Brown’s investigation began after he purchased one of these cameras on eBay and successfully reverse-engineered it to highlight the underlying security issues.

The alarms were raised when it became apparent that the misconfigured cameras not only broadcast real-time video feeds to the internet but also leaked sensitive data, including images of vehicles and their license plates. Access to this information has not required any authentication, raising substantial concerns about unauthorized access and data security breaches.

In collaboration with other technologists, Brown has confirmed through analysis of multiple feeds that sensitive vehicle data is available to anyone online, including the makes, models, and colors of the cars photographed. Motorola has acknowledged these vulnerabilities and stated that it is actively working with affected customers to address the exposure of the camera feeds.

The implications of this breach extend beyond Nashville; the proliferation of ALPR cameras across the United States has seen thousands of these devices installed in various locations, operated by prominent manufacturers such as Motorola and Flock Safety. These cameras automatically photograph passing vehicles, creating comprehensive databases used extensively by law enforcement to track suspects and monitor movements. The sheer volume of data captured, including incidental details like bumper stickers and lawn signs, further complicates issues of privacy.

Brown noted that each compromised camera was fixed in a location monitoring traffic, and he observed that the video feeds often covered only a single lane. Moreover, he discovered dual streams from each affected camera—one in regular color and another in infrared—further highlighting the scale of the exposure.

According to the MITRE ATT&CK framework, the vulnerabilities identified in this incident can be associated with tactics and techniques such as initial access, in which misconfigured settings allowed unauthorized visibility, and misconfiguration exploitation, highlighting a lack of proper security measures on the part of deploying entities. The unintentional exposure of this data indicates a need for improved protocols to safeguard sensitive surveillance information.

During a recent assessment, WIRED researchers examined data from 37 different IP addresses tied to Motorola’s ALPR cameras across various cities—including Omaha, Nebraska, and New York City. Over the same 20-minute timeframe, these cameras captured detailed vehicle data on nearly 4,000 vehicles, with some vehicles recorded multiple times as they were detected by different cameras.

As the dialogue surrounding surveillance technology and privacy intensifies, this incident serves as a potent reminder of the potential cybersecurity risks that accompany the deployment of advanced monitoring systems. As organizations increasingly rely on such technologies, the necessity for rigorous data protection and security measures has never been more critical.

Source