Livescore
Last June, the Department of Homeland Security released an advisory noting that a commonly used automated license plate reader (ALPR) was theoretically vulnerable to a variety of hacks. This week, security researcher Matt Brown has demonstrated that not only are these ALPRs actually vulnerable, but many are easily accessible to anyone with some know-how and an Internet connection. A hacker with the most basic skills could be currently using them to track people’s movements, without a spied-upon victim ever knowing.
The amount of data these bad actors could access is huge, because ALPRs are massive dragnets for data. The way the system works is straightforward: use cameras to watch every car that drives by. Special software is used to note the color, make, and model of the cars, and optical character recognition is used to log the license plate numbers. That data is stored and compared against various databases to search for vehicles of interest, and notify police when one is seen.
Although exact numbers are impossible to come by, ALPRs are astoundingly widespread in America, with one open-source project to record ALPR locations, deflock.me, estimating the number in the thousands. Various US agencies at both the state and federal level use the systems to track the movements of anyone passing by.
With intelligent placement of a select few ALPRs, it becomes possible to monitor someone’s movements with such granularity that you could establish their daily habits with ease. Indeed, some city governments set them up exactly like this. Whether this is a constitutional practice is still up for debate in the courts, but what Brown discovered and shared on his Youtube channel means that this data isn’t just for the government to see, it’s for anyone with some know-how to discover.
In the video, Brown finds dozens of ALPRs completely unprotected and available to watch, like Twitch streams for passing car traffic. The data logs that are automatically generated every time a car drives by are also available to the public, which means that government-level surveillance is available to anyone with a little bit of scripting knowledge. To show it, 404 Media reached out to the creator of deflock.me, and he was able to build a timestamped database of the make, model, color, and license plate of every car driving by.
The privacy concerns are immense, obviously. Stalkers, malicious bosses, privacy-invading in-laws—they all could, in theory, pick out a few publicly-accessible cameras in their city and follow a person throughout their entire day. More concerning for national security, if these cameras are open to individuals, they’re also open to nation-size actors, who could monitor the habits of American VIPs whenever they drive a personal vehicle.
Next time you’re out for a drive and you feel like you’re being followed, look up for some ALPR cameras. Maybe you are.
Read the full article here
Discussion about this post