PIPS Technology's automatic number plate recognition systems in use. Credit: PIPS Technology
Big Brother watching you is bad enough. But Big Brother allowing hackers to watch you as well is worse.
And that is increasingly the case, thanks to the indiscriminate, and insecure, collection of vehicle license plate data, according to recent reports from the Electronic Frontier Foundation (EFF) and the alt-weekly DigBoston.
The technology at issue is Automated License Plate Readers (ALPR) – cameras mounted on patrol cars or stationary roadside structures like utility poles that record not just the plate number, but metadata including the date, time and location of the vehicle.
EFF reported late last year that it had found, “more than a hundred ALPR cameras were exposed online, often with totally open Web pages accessible by anyone with a browser.” Those cameras were in several Louisiana communities; in Hialeah, Florida; and at the University of Southern California.
DigBoston reported in September that until alerted by a reporter, “anyone online was able to freely access a City of Boston ALPR system and to download dozens of sensitive files, including hundreds of thousands of motor vehicle records dating back to 2012.”
In both cases, public safety or transportation officials and the APLR vendors tightened security after being notified of the vulnerabilities, although EFF said it took, “five months of engagement with these entities.”
The systems studied by EFF were made by a company called PIPS Technology, which was acquired by 3M in 2012. 3M, in a statement to EFF, said the cameras had good security features, but that they had to be enabled by customers.
Jennifer Lynch, senior staff attorney at EFF, said the organization does not know how many ALPR systems are in use throughout the U.S. and what percentage of them might have security problems.
But with the exploding popularity and use of such cameras, it is virtually guaranteed that there are both security and privacy issues that are not being addressed. A team of computer scientists at the University of Arizona issued a recent report saying they had found vulnerable cameras in Washington, California, Texas, Oklahoma, Louisiana, Mississippi, Alabama, Florida, Virginia, Ohio, and Pennsylvania.
DigBoston reported that the open online server it found, used for municipal parking enforcement, was owned by Affiliated Computer Services (ACS), a Xerox subsidiary. When notified about it, “within two hours, the portal was removed from public view,” wrote reporter Kenneth Lipp.
Jody Westby, CEO of Global Cyber Risk and a privacy consultant, said that digital surveillance many times exceeds the expertise of “guards, guns, and gates” security teams.
Sign up for Computerworld eNewsletters.