Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
In just 20 minutes this morning, an automatic license-plate-recognition (ALPR) system in Nashville, Tennessee, captured photographs and detailed information on nearly 1,000 vehicles as they passed by. Among them: eight black Jeep Wranglers, six Honda Accords, an ambulance and a yellow Ford Fiesta with a vanity plate.
This trove of real-time vehicle data collected by one of Motorola’s ALPR systems is accessible by law enforcement. However, a flaw discovered by a security researcher exposed live video feeds and detailed records of passing vehicles, revealing the staggering scale of surveillance enabled by this pervasive technology.
According to security researcher Matt Brown, more than 150 Motorola ALPR cameras have had their video feeds and data leaked in recent months. YouTube video After buying an ALPR camera on ebay and reverse engineering it.
In addition to broadcasting live footage accessible to anyone on the Internet, misconfigured cameras also reveal the data they collect, including vehicle photos and license plate logs. No username or password is required to access real-time video and data feeds.
as well as Other techniciansWIRED reviewed video feeds from several cameras, confirming that vehicle data—including the make, model and color of the vehicle—was accidentally exposed. Motorola confirmed the exposure, telling Wired it was working with its customers to stop access.
Over the past decade, thousands of ALPR cameras have appeared in cities and towns across the United States. The cameras, which are made by companies such as Motorola and Flock Safety, automatically take pictures when they detect a passing vehicle. The cameras and databases of information collected are often used by police to track down suspects. ALPR cameras can be placed on the side of the road, on the dashboard of police cars and even in trucks. These cameras capture Billions of photos of cars – including the occasional bumper sticker, lawn sign and t-shirt.
Brown, who runs the cybersecurity company Brown Fine Security, told Wired, “Every one of the ones I’ve exposed has been in a specific location on some road. The open video feed covers each single lane of traffic, with cars moving through the camera’s view. In some streams, snow is falling. Brown found two streams for each exposed camera system, one in color and one in infrared.
Basically, when a car passes an ALPR camera, a picture of the car is taken and the system uses machine learning to extract the text from the license plate. This is stored alongside details such as where the photograph was taken, the time, as well as metadata such as the make and model of the vehicle.
Brown said the camera feed and vehicle data were likely released because they were not set up on private networks, likely deployed by law enforcement agencies, and instead were exposed to the Internet without any authentication. “It’s misconfigured. It should not be open on public internet,” he said.
Wired tested the flaw by analyzing data streams from 37 different IP addresses apparently tied to Motorola cameras spanning more than a dozen U.S. cities, from Omaha, Nebraska to New York City. In just 20 minutes, those cameras record the make, model, color and license plate of nearly 4,000 vehicles. Some cars were even captured multiple times – in some cases up to three times – as they passed different cameras
