Number plate recognition cameras can be hacked by anyone

The Electric Frontier Foundation (EFF) has revealed Automatic Number Plate Recognition (ANPR) cameras can be hacked by anyone with an internet connection because police forces aren't correctly securing them.

The organisation carried out research in the US, where the units are known as ALPR cameras, and discovered that those used in its sample could be easily accessed, meaning hackers could find out everything about the owner of a particular vehicle that has been scanned by the camera.

The EFF added other information can be uncovered, including the doctor the owner of the vehicle attends, what protests you attend, and where you work, shop, worship and sleep at night.

The forces in question were St. Tammany Parish Sheriff's Office, Jefferson Parish Sheriff's Office, and the Kenner Police in Louisiana, Hialeah Police Department in Florida and the University of Southern California's public safety department and were supplied by a company called PIPS Technology, now owned by 3M.

"We cannot comment on issues PIPS may have had prior to the acquisition, but I can tell you any issues with our products are taken very seriously and directly addressed with the customer," 3M said in a statement.

"We stand behind the security features of our cameras. 3M's ALPR cameras have inherent security measures, which must be enabled, such as password protection for the serial, Telnet and web interfaces. These security features are clearly explained in our packaging."

The EFF tested more than 100 cameras in operation by enforcement units round the US and found they could be accessed by publicly available interfaces, which included live feeds to the camera's operation. The testing involved responding to requests sent by the hardware and connecting it to a web browser or Telnet. In some cases, the camera and Telnet was protected by a password, in which case EFF left it alone. However, sometimes, EFF was able to find the password details on the Telnet configuration.

"As longtime critics of mass surveillance systems, EFF would like nothing more than to see a law enforcement agency take its ALPR networks offline," the research firm said. "In fact, in letters and emails we sent to the agencies, we advised that a shut down would be the most effective measure. But that's a decision for the agencies to make, not computer researchers.

"Our greatest concern was ensuring that, if they were going to continue to use these systems, they not put the public's privacy at risk of a data breach."

Clare Hopping
Freelance writer

Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.

Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.

As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.