Automated license plate recognition systems, also known as ALPR or simply LPR systems, have become increasingly popular — and controversial — tools for law enforcement in recent years. The systems can automatically photograph and record data on license plates in real time, drawing the ire of privacy advocates like those at the Electronic Frontier Foundation, which has just released information on security vulnerabilities in ALPR systems across the country.
"Earlier this year, EFF learned that more than a hundred ALPR cameras were exposed online, often with totally open Web pages accessible by anyone with a browser," the organization says in the new report released today.
The report focuses on systems sold by a company called PIPS Technology, which is now owned by 3M. According to the EFF, live feeds from some of the cameras were available to watch online, and "were individually connected to the internet and freely accessible online to anyone who knew where to look."
The organization described its testing approach:
The testing process involved confirming that a camera was online and responding to requests by connecting to it with a Web browser or by connecting to it over Telnet. If the camera had a password on both the Web and Telnet interface we left it alone, but if the camera was not protected with a password we were able to recover configuration information. However, when the Web was locked down, but Telnet was not, we [were] able to view password information in the Telnet configuration. Often these passwords were set to the default or were otherwise not sophisticated enough to be secure.
Using information embedded on the page and through publicly available sources, the EFF was able to identify the position of some of the cameras, and got in touch with the owners to highlight the vulnerabilities. Some, like local Louisiana law enforcement agencies and the University of Southern California, took steps to fix the vulnerabilities. But the city of Hialeah, Florida, stopped returning the organization's calls.
The ACLU has found that about three-quarters of law enforcement agencies were using similar systems in 2011, giving officers "hundreds of millions of data points" on drivers not accused of a crime.