Once lauded as tools to enhance police accountability, body cameras have been facing increasing scrutiny from privacy advocates, and now one researcher has identified them as cybersecurity time bombs.
Speaking to Wired ahead of a Def Con presentation, Josh Mitchell, a consultant at the security firm Nuix, demonstrated that many body cameras are vulnerable to hacking, making several different nightmare scenarios possible: Officers themselves could be tracked while wearing the cameras, footage could be doctored or deleted entirely, and the cameras could be hijacked to spread ransomware or other malicious code throughout police networks.
“These videos can be as powerful as something like DNA evidence, but if they’re not properly protected there’s the potential that the footage could be modified or replaced,” Mitchell told Wired. “I can connect to the cameras, log in, view media, modify media, make changes to the file structures. Those are big issues.”
Mitchell demonstrated vulnerabilities in cameras made by Vievu, Patrol Eyes, Fire Cam, Digital Ally and CeeSc. Cameras from Axon, the largest manufacturer in the US, weren’t examined for vulnerabilities, but Vievu was recently acquired by Axon.
All five cameras, Mitchell told Wired, have specific vulnerabilities in how they verify videos and software updates. Specifically, they don’t use cryptographic mechanisms to confirm firmware updates or uploaded videos are legitimate.
Mitchell found that the cameras don’t protect uploaded footage with digital signatures to ensure it hasn’t been manipulated. Without this verification, attackers could therefore download, edit then re-upload footage to cloud storage without a trace.
Mitchell also says that the cameras run firmware without verification, meaning a hacker could expose the cameras to malicious code by disguising it as a normal software update.
Hackable body cameras are a potential liability for the entire police department that uses them. Once hackers have compromised cameras, they could infect them with malware, giving them access to entire police networks, Mitchell claims. That leaves police open to ransomware attacks, forced lockdowns, and worms that delete important files.
“These are full-feature computers walking around on your chest, and they have all of the issues that go along with that,” Mitchell said. One issue that kept reoccurring in his research: A too-easy-to-guess default Wi-Fi password, a problem reaching near-ubiquity with IoT devices.
Mitchell told Wired that since discovering the vulnerabilities he’s been in contact with all five companies. Axon said it will patch the vulnerabilities in Vievu tech. We reached out to these companies for additional comment but had not heard back at time of writing.
[Wired]