Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

EFF Issues New Warning After Discovery of Automated License Plate Reader Vulnerabilities

The EFF has issued a warning over the use of automated license plate readers following the discovery of serious vulnerabilities. 

The Electronic Frontier Foundation (EFF) has issued a warning on the risks and threats associated with mass surveillance technologies following the disclosure of several potentially serious vulnerabilities discovered recently in automated license plate readers.

Automated license plate readers (ALPRs) are high-speed camera systems that automatically capture all license plate numbers in their view. They are mounted on street poles, highway overpasses, and police cars. In addition to license plate numbers, they can capture data such as location, date and time, images of the vehicle, and sometimes even photographs of the driver and passengers. 

The EFF has been raising concerns about this system for several years, warning that it’s a mass surveillance system that captures and stores data beyond what is needed for public safety purposes. 

The organization’s latest warning comes shortly after the US cybersecurity agency CISA issued an advisory to inform organizations about several vulnerabilities found in Vigilant license plate readers made by Motorola Solutions. 

The security holes, some of which have been described as high-severity issues, can allow an attacker to bypass authentication, gain access to sensitive information, deploy backdoors, and shut down cameras. This is possible due to insufficiently protected credentials, hardcoded passwords, and weak authentication mechanisms.

An analysis conducted by the EFF showed that 80 agencies in California collected more than 1.6 billion license plate scans in 2022, primarily using Vigilant technology. 

“This data can be used to track people in real time, identify their ‘pattern of life,’ and even identify their relations and associates. An EFF analysis from 2021 found that 99.9% of this data is unrelated to any public safety interest when it’s collected. If accessed by malicious parties, the information could be used to harass, stalk, or even extort innocent people,” the EFF said.

Past incidents showed that vulnerabilities should not be ignored. In 2015, researchers found more than 100 ALPR cameras across Louisiana, California and Florida that could easily be hacked and controlled from the internet. In 2019, a vendor providing ALPR technology for border patrol checkpoints was hacked and the attackers gained access to 105,000 license plate images and 184,000 images of travelers from a face recognition pilot program. 

Advertisement. Scroll to continue reading.

In the case of the recently discovered vulnerabilities, the Michigan State Police Cyber Command Center reported them to CISA. Motorola has provided patches and/or mitigations for each security flaw. 

However, the EFF noted, “When vulnerabilities are found, it’s not enough for them to be patched: They must be used as a stark warning for policy makers and the courts.”

It added, “Public safety agencies must resist the allure of marketing materials promising surveillance omniscience, and instead collect only the data they need for actual criminal investigations. They must never store more data than they adequately protect within their limited resources–or they must keep the public safe from data breaches by not collecting the data at all.”

Related: Conservative Revolt in the House Blocks Effort to Reauthorize a Key US Spy Tool

Related: Vermont Governor Vetoes Data Privacy Bill, Saying State Would be Most Hostile to Businesses

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights