Researcher Says Police Body Cameras Are An Insecure Mess

from the internet-of-cop-things dept

The promise of transparency and accountability police body cameras represent hasn't materialized. Far too often, camera footage goes missing or is withheld from the public for extended periods of time.

So far, body cameras have proven most useful to prosecutors. With captured footage being evidence in criminal cases, it's imperative that footage is as secure as any other form of evidence. Unfortunately, security appears to be the last thing on body cam manufacturers' minds.

Josh Mitchell, a consultant at the security firm Nuix, analyzed five body camera models from five different companies: Vievu, Patrol Eyes, Fire Cam, Digital Ally, and CeeSc. The companies all market their devices to law enforcement groups around the US. Mitchell's presentation does not include market leader Axon—although the company did acquire Vievu in May. In all but the Digital Ally device, the vulnerabilities would allow an attacker to download footage off a camera, edit things out or potentially make more intricate modifications, and then re-upload it, leaving no indication of the change. Or an attacker could simply delete footage they don't want law enforcement to have.

This is already bad news. We've already seen some evidence that officers have altered/destroyed footage. This attack vector allows almost anyone to do the same thing, all without leaving a trace of intrusion. But the flaws run deeper than this. According to Mitchell's research, some cameras can have their signals intercepted, allowing criminals to locate law enforcement officers or simply eavesdrop on recordings as they occur. It's not just a matter of criminals eluding cops. Hijacking signals obviously has a serious impact on officer safety.

And this is only the problem created by the cameras themselves. Every camera has to interact with another computer system to upload footage. In many cases, they're linked to cloud services as well, which introduce further vulnerabilities. Attackers could use body cams to deliver malicious payloads to law enforcement computer systems or the cloud services used to store recordings.

But underneath everything else runs this crucial part of the justice process: footage is evidence and evidence must be kept intact. Cameras and camera services simply aren't doing enough to prevent evidence tampering. The chain of evidence is relied on to ensure its integrity, but until these vulnerabilities are removed, body cam footage may as well be hearsay.

The bodycams don't have a cryptographic mechanism to confirm the validity of the video files they record either. As a result, when the devices sync with a cloud server or station PC, there's no way to guarantee that the footage coming off the camera is intact. "I haven’t seen a single video file that’s digitally signed," Mitchell says.

The good news is companies were alerted before Mitchell went public with his Defcon presentation. Most are implementing fixes, although a couple of smaller manufacturers refused to comment on the issues. The bad news is these fixes shouldn't have been necessary. The cameras and the services they rely on were put into service without many of these considerations being taken seriously. It appears they're no more secure than an off-the-shelf $30 webcam, even though they're only being sold to law enforcement agencies.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: accountability, body cameras, police, security, transparency