This morning, in just 20 minutes, an automated license plate recognition (ALPR) system in Nashville, Tennessee, captured photos and detailed information of nearly 1,000 vehicles in its path. Among them: eight black Jeep Wranglers, six Honda Accords, an ambulance and a yellow Ford Fiesta with a personalized license plate.
This trove of real-time vehicle data, collected by one of Motorola’s ALPR systems, must be accessible to authorities. However, a flaw discovered by a security researcher has exposed live video feeds and detailed logs of passing vehicles, revealing the staggering scale of surveillance enabled by this widespread technology.
More than 150 Motorola ALPR cameras have had their video feeds and leaked data exposed in recent months, according to security researcher Matt Brown, who first published the issues in a series of youtube videos after purchasing an ALPR camera on eBay and reverse engineering it.
In addition to transmitting live images accessible to anyone on the Internet, the misconfigured cameras also exposed data they had collected, including car photographs and license plate records. Real-time data and video streams do not require any username or password to access.
Next to other technologistsWIRED reviewed video feeds from several of the cameras and confirmed that vehicle data, including car makes, models and colors, has been accidentally exposed. Motorola confirmed the exposures and told WIRED it was working with its customers to close access.
Over the past decade, thousands of ALPR cameras have appeared in towns and cities across the United States. The cameras, made by companies such as Motorola and Flock Safety, automatically take photos when they detect a car passing by. Police frequently use cameras and databases of collected data to search for suspects. ALPR cameras can be placed along roads, on the dashboards of police cars, and even on trucks. These cameras capture billions of photos of cars, occasionally including bumper stickers, lawn signs and T-shirts.
“Every one of them that I found exposed was in a fixed location on some road,” Brown, who runs the cybersecurity company Brown Fine Security, tells WIRED. The exposed video shows each lane of traffic in each lane, with cars driving across the camera’s view. It is snowing in some streams. Brown found two feeds for each exposed camera system, one in color and one in infrared.
Generally speaking, when a car passes by an ALPR camera, a photo of the vehicle is taken and the system uses machine learning to extract text from the license plate. This is stored along with details such as where the photo was taken, the time and metadata such as the make and model of the vehicle.
Brown says the camera footage and vehicle data were likely exposed as they had not been set up on private networks, possibly by the law enforcement agencies that deployed them, but were instead exposed to the Internet without any authentication. “It has been poorly configured. “It shouldn’t be open on the public Internet,” he says.
WIRED tested the flaw by analyzing data streams from 37 different IP addresses apparently linked to Motorola cameras, spanning more than a dozen U.S. cities, from Omaha, Nebraska, to New York City. In just 20 minutes, these cameras recorded the make, model, color and license plates of almost 4,000 vehicles. Some cars were even captured multiple times (up to three in some cases) as they passed by different cameras.