A curious security researcher who bought a Motorola automated license plate reader was able to discover a concerning security flaw that affects hundreds of live ALPR cameras across the country. Matt Brown, who runs Brown Fine Security, purchased a Motorola ReaperHD ALPR license plate reader surveillance camera off eBay and quickly found that many of the same, live cameras are misconfigured to stream color, infrared black-and-white and car data including license plate numbers to the open internet where they can be accessed by anyone in real time without a username or password.
Brown, who made a series of YouTube videos demonstrating his proof-of-concept tool that exposes these vulnerabilities, initially only reverse engineered his own camera to extract the device’s firmware when he found video streams on the device. He then set out to see if any of the real world devices were available online, and was able to use text from a 404 error page to find the IP addresses of the exposed devices on the public internet. More than 150 devices appear when using a publicly available internet scanning tool.
ALPR cameras are often placed along roads, on the dashboard of police vehicles or even inside of trucks in order to automatically take pictures when they detect a car passing by. The system uses machine learning to extract text from the license plate, which is stored alongside details such as where the image was taken, as well as the time, and the make, model and color of the vehicle. The videos and databases of collected data are then frequently used by police to search for suspects.
Motorola has responded by confirming the exposures and a spokesperson has told media outlets it is working with affected customers to close the open access. A spokesperson explains: “The ReaperHD camera is a legacy device, the sales of which were discontinued in June 2022. Findings in the recent YouTube videos do not pose a risk to customers using their devices in accordance with our recommended configurations. Some customer-modified network configuration potentially exposed certain IP addresses. We are working directly with these customers to restore their system configurations consistent with our recommendations and industry best practices. Our next firmware update will introduce additional security hardening.”
However, this isn't the first instance of this kind of breach: A community called DeFlock, which is an open-source map of ALPRs in the United States, has also found roughly 170 unencrypted ALPRs. The founder of that community even built a script that can take the data, decode it, add timestamped information and dump it onto a spreadsheet in order track a specific car's movements.
In 2015 the Electronic Frontier Foundation and University of Arizona researchers found hundreds of exposed ALPR streams, and in 2019 a hack of an ALPR vendor at the Department of Homeland Security resulted in the license plates of images of travelers being put up for sale on the dark web.
Brown, the security researcher, says that while not all Motorola ALPRs are leaking data or streaming to the open internet, the security flaw is still concerning and not something that is going to be fixed overnight. "You still have a super vulnerable device that if you gain access to their network you can see the data. When you deploy the technology into the field, attacks always get easier, they don't get harder."
