Police license plate readers are still exposed on the internet

Most of the ALPR devices are shipped with default passwords

Smile! You’re on camera. At least, your license plate is.

You might have heard of automatic license plate recognition — known as ALPR (or ANPR in the U.K. for number plates). These cameras are dotted across the U.S., and are controlled mostly by police departments and government agencies to track license plates — and people — from place to place. In doing so, they can reveal where you live, where you go and who you see. Considered a massive invasion of privacy by many and legally questionable by some, there are tens of thousands of ALPR readers across the U.S. collectively reading and recording thousand of license plates — and locations — every minute, the ACLU says, becoming one of the new and emerging forms of mass surveillance in the U.S.

But some cameras are connected to the internet, and are easily identifiable. Worse, some are leaking sensitive data about vehicles and their drivers — and many have weak security protections that make them easily accessible.

Security researchers have been warning for years that ALPR devices are exposed and all too often accessible from the internet. The Electronic Frontier Foundation found in 2015 dozens of exposed devices in its own investigation not long after Boston’s entire ALPR network was found exposed, thanks to a server security lapse.

But in the three years past, little has changed.

In the course of a week, TechCrunch found more than 150 ALPR devices from several manufacturers connected to and searchable on the internet. Many ALPR cameras were entirely exposed or would have been easily accessible with little effort. Of the ALPR cameras we identified, the majority had a default password documented in its support guides. (We didn’t use any of the passwords, as that would be unlawful.)

“It doesn’t surprise us to hear that the problems are still ongoing,” said Dave Maass, a senior investigative researcher at the Electronic Frontier Foundation. “What we tend to find is that law enforcement will get sold this technology and see it as a one-time investment, but don’t invest in cybersecurity to protect the information or the devices themselves.”

Darius Freamon, a security researcher, was one of the first to find police ALPR cameras in 2014 on Shodan, a search engine for exposed databases and devices.

Freamon found one then-popular model of ALPR cameras, the P372, a license plate reader built and released by PIPS Technology in 2004. Back then, its default password wasn’t a major hazard. But today, a dozen devices are still viewable on Shodan. Although the web interfaces are locked down in most cases, many of these devices allow unauthenticated access through its telnet port — allowing to run commands on the device without a password at all, giving access to each device’s database of collected license plates.

We also found more than a dozen ALPR cameras in use by police in California, given away by their hidden Wi-Fi network name but still cached by Shodan. Two ALPR servers by Texas-based firm MissionALPR were found online at the time of writing.  And, we also found more than 80 separate Genetec-built AutoVu SharpV devices — including two previously discovered license plate readers “as-a-service” device each in Washington and California. (Genetec said that only its setup process has a default password, and users are required to change the password on setup.) And, many of the ALPR cameras found independently years ago — even as far back as 2012 — are still online.

The list goes on and on.

[gallery type="slideshow" size="full" ids="1772723,1772727,1772724"]

It’s not just police using ALPR services. Private companies, like large campuses and universities, also invest heavily in ALPR, but are unaware of the risks associated with storing massive amounts of data.

“In California, you’re responsible under state law to maintain reasonable security practices to protect against unauthorized access,” said Maass. “If it turns out that somebody is harmed because they put a license plate reader up and it didn’t have basic security like password protections, that person can be on the hook for punitive damages.”

We asked several ALPR device makers, including PIPS and MissionALPR, if they still produce devices with default passwords and if they offer advice to their customers with legacy equipment, but besides Genetec, no other ALPR device manufacturer commented or answered our questions prior to publication.

“Genetec has no access to the user-defined passwords and the only way to access the camera in case of a lost password is to do a factory reset,” said a spokesperson.

While many ALPR cameras — like the devices built and sold by PIPS and Genetec — are hardware-based, many cheaper or homebrew systems rely on an internet-connected webcam and cheap or free license plate recognition software, like OpenALPR, that runs separately on top. OpenALPR doesn’t have a default password (though many are still searchable online), but it is open source, making it free to download and cheap to operate.

But it means that now any camera can be an ALPR camera.

Case in point: When police in the city of Orinda, near San Francisco, began installing non-ALPR motion-activated cameras by Reconyx, investigative reporters at NBC’s Bay Area team were able to obtain with a single public records request more than five million photos in a three-month period from the city’s 13 cameras. A local resident then used free ALPR software to turn the images into a searchable database of license plates.

There’s a fine line between using technology to fight crime and creepily surveilling your neighbors. But device makers can — and will soon have to — do more to protect their devices from hacking — or simply leaking data.

Starting next year, California law will ban internet-connected devices manufactured or sold in the state if they contain a weak or default password that isn’t unique to each device. Not only does that protect against hacking, it prevents easy hijacking from powerful, network crippling botnets.

Until then, assume that if it’s connected to the internet, it’s not as secure as it could be.