Only in 20 This morning, an automatic license plate recognition (ALPR) system in Nashville, Tennessee captured photos and detailed information from nearly 1,000 vehicles as they passed by. Among them: eight black Jeep Wranglers, six Honda Accords, one ambulance, and a yellow Ford Fiesta with a vanity plate.
This real-time vehicle data set, collected by one of Motorola’s ALPR systems, is supposed to be available to law enforcement. However, a flaw discovered by a security researcher has revealed live video feeds and detailed records of passing vehicles, revealing the staggering scale of surveillance enabled by this widespread technology.
According to security researcher Matt Brown, who first publicized the issues in a series of YouTube videos after buying an ALPR camera on eBay and reverse-engineering it, more than 150 Motorola ALPR cameras have leaked video feeds and data in recent months. They have exposed themselves.
In addition to streaming live footage that is publicly accessible on the Internet, misconfigured cameras also expose the data they collect, including photos of cars and license plate logs. No username or password required to access video feeds and real-time data.
Along with other techies, WIRED reviewed video feeds from multiple cameras and confirmed that vehicle data — including vehicle makes, models, and colors — was accidentally exposed. Motorola confirmed the cases and told WIRED that it was working with its customers to close the access.
Over the past decade, thousands of ALPR cameras have appeared in cities and towns across the United States. Made by companies like Motorola and Flock Safety, the cameras automatically take pictures when they detect a passing car. The cameras and the database they collect are often used by police to track down suspects. ALPR cameras can be placed on the side of roads, on the dashboard of police cars and even in trucks. These cameras capture billions of photos of cars, including bumper stickers, lawn signs and T-shirts.
“Every one of them that I saw was in a fixed location on a road,” Brown, who runs the cybersecurity firm Brown Fine Security, told WIRED. The exposed videos each cover one lane of traffic, with cars passing through the camera’s view. It is snowing in some places. Brown found two streams for each exposure camera system, one in color and one in infrared.
Generally, when a car passes an ALPR camera, a photo of the car is taken and the system uses machine learning to extract text from the license plate. This is stored alongside details such as where the photo was taken, the time, as well as metadata such as the make and model of the vehicle.
Camera feeds and vehicle data were likely exposed because they were not deployed on private networks, possibly by the law enforcement agencies that deployed them, and instead were exposed to the Internet without any authentication, Brown said. “Incorrectly configured. It should not be open on the public Internet.
WIRED tested the flaw by analyzing data streams from 37 different IP addresses allegedly tied to Motorola cameras spanning more than a dozen cities across the United States, from Omaha, Nebraska, to New York City. would take These cameras recorded the brand, model, color and license plate of nearly 4000 vehicles in just 20 minutes. Some cars were even photographed multiple times – in some cases up to three times – as they passed by different cameras.
