Kiss goodbye to crucial evidence.
Body cameras used by the law enforcement nowadays have already remained controversial but no one has, so far, attempted to assess the credibility of the device itself. But, at Defcon 2018, police body cameras became an object of discussion when a researcher Josh Mitchell identified these cameras to be vulnerable to remote digital attacks.
According to the findings of a security consultant at Australia based cybersecurity firm Nuix, by attacking police body cameras, a hacker can easily manipulate footages. To prove his point, Mitchell assessed five different body camera models from different manufacturers.
These included CeeSc, Digital Ally, Fire Cam, Patrol Eyes and Vievu (which was acquired by Axon in May 2018). These are the main companies that sell their devices to law enforcement authorities in the US. Surprisingly though, Mitchell left out the market leader Axon.
In his presentation, Mitchell revealed that all of the models of body cameras had security vulnerabilities. He stated that these devices are using very mundane and easy-to-guess network addresses. Hackers can use these addresses to identify the cameras remotely, as soon as the device is switched on. This would allow hackers to keep a check on police activities as they can easily watch footages from various cameras that are switched on at the same time and place.
In Digital Ally body camera, the vulnerabilities would let hackers download, edit and/or modify footages from the camera and re-upload an entirely different version without making it look suspicious to the police. It was also possible for an attacker to delete certain footages and police won’t be able to view them.
A concerning aspect is that none of the devices utilized code-signing or cryptographically signed the captured footages. This means, a hacker can easily inject arbitrary code into them and the police cannot identify if the footage has been tampered with. Some models, which are equipped with Bluetooth or cellular data connectivity feature, can be exploited for enabling live streaming of the footages.
“These videos can be as powerful as something like DNA evidence, but if they’re not properly protected there’s the potential that the footage could be modified or replaced. I can connect to the cameras, log in, view media, modify media, make changes to the file structures. Those are big issues,” claims Mitchell.
Moreover, some of these body cameras can create temporary Wi-Fi networks to connect to other devices. These connections aren’t authenticated, which means anyone can connect and start accessing the filesystems, infect the computer with malware or modify footages.
Out of the five devices assessed, four had a Wi-Fi radio and only CeeSc model wasn’t equipped with it. Hence, all the four devices were broadcasting device-related information too such as its make, model, and code. Tracking the cops would be so much easier with this information. All that a hacker would need is a long range antenna.
By exploiting the security flaws in these devices, a hacker can track the location of the device and also manipulate the software. There were certain flaws in the desktop software, mobile applications, and cloud platforms that these devices interacted with.
Mithcell believes that some of the vulnerabilities are downright “appalling.” He further explained that the purpose of this research is to check out general industry trends that currently prevail across a broad range of devices.
“They are missing many modern mitigations and defenses,” added Mitchell.