14 DAY TRIAL // The Electronic Frontier Foundation (EFF) has published a detailed report, warning law enforcement agencies across the country about the dangers of deploying automatic license plate readers (ALPRs) that do not employ any security measures.
The report, which only analyzes a small set of ALPR systems exposed online, details the common pitfalls to which most Internet of Things (IoT) devices are exposed these days.
Just like CCTV cameras, smart-fridges, and kettles, ALPR systems, even if they come with basic security features, most of the times are left in their default configuration.
Most ALPRs are accessible via the Internet, and if not sporting a Telnet or Web-access password, they are using either the default one or an easy-to-guess alternative that would barely survive a brute-force attack more than 10 minutes.
In fact, Dan Matherly, Shodan's creator, has given presentations on this topic at many security conferences across the US, exposing thousands of such ALPR systems. Some other security researchers have also been able to access these systems, sometimes while they were creating photographic evidence of cars passing through their area.
US law enforcement agencies have a hunger for private data
Besides detailing a scenario that many security aficionados have very well become accustomed to (improper configuration of IoT devices), the EFF also goes on to warn about the bureaucracy that surrounds the agencies that deploy them and the US states' lack of interest when protecting citizen privacy.
"ALPR systems are a form of mass surveillance, plain and simple," say EFF's Dave Maass and Cooper Quintin. "This technology captures information on every driver, regardless of whether they are under suspicion."
The EFF also goes on to cite a case from 2014, when the foundation's researchers asked for public records from the Los Angeles Police Department, but they were denied because police in California can withhold data if part of an investigation. Apparently, they were investigating all cars in California at the same time.
These and many more other scenarios where automatic license plate readers have been exposed online or abused by government agencies for surveillance purposes can be read in EFF's full inquiry on the matter.
