Smile! You’re on camera. At least, your license plate is.
You might have heard of automatic license plate recognition — known as ALPR (or ANPR in the U.K. for number plates). These cameras are dotted across the U.S., and are controlled mostly by police departments and government agencies to track license plates — and people — from place to place. In doing so, they can reveal where you live, where you go and who you see. Considered a massive invasion of privacy by many and legally questionable by some, there are tens of thousands of ALPR readers across the U.S. collectively reading and recording thousand of license plates — and locations — every minute, the ACLU says, becoming one of the new and emerging forms of mass surveillance in the U.S.
But some cameras are connected to the internet, and are easily identifiable. Worse, some are leaking sensitive data about vehicles and their drivers — and many have weak security protections that make them easily accessible.
Security researchers have been warning for years that ALPR devices are exposed and all too often accessible from the internet. The Electronic Frontier Foundation found in 2015 dozens of exposed devices in its own investigation not long after Boston’s entire ALPR network was found exposed, thanks to a server security lapse.
But in the three years past, little has changed.
In the course of a week, TechCrunch found more than 150 ALPR devices from several manufacturers connected to and searchable on the internet. Many ALPR cameras were entirely exposed or would have been easily accessible with little effort. Of the ALPR cameras we identified, the majority had a default password documented in its support guides. (We didn’t use any of the passwords, as that would be unlawful.)
“It doesn’t surprise us to hear that the problems are still ongoing,” said Dave Maass, a senior investigative researcher at the Electronic Frontier Foundation. “What we tend to find is that law enforcement will get sold this technology and see it as a one-time investment, but don’t invest in cybersecurity to protect the information or the devices themselves.”
Freamon found one then-popular model of ALPR cameras, the P372, a license plate reader built and released by PIPS Technology in 2004. Back then, its default password wasn’t a major hazard. But today, a dozen devices are still viewable on Shodan. Although the web interfaces are locked down in most cases, many of these devices allow unauthenticated access through its telnet port — allowing to run commands on the device without a password at all, giving access to each device’s database of collected license plates.
We also found more than a dozen ALPR cameras in use by police in California, given away by their hidden Wi-Fi network name but still cached by Shodan. Two ALPR servers by Texas-based firm MissionALPR were found online at the time of writing. And, we also found more than 80 separate Genetec-built AutoVu SharpV devices — including two previously discovered license plate readers “as-a-service” device each in Washington and California. (Genetec said that only its setup process has a default password, and users are required to change the password on setup.) And, many of the ALPR cameras found independently years ago — even as far back as 2012 — are still online.
The list goes on and on.