Security flaws in police body cameras open the devices to attack

A researcher presenting at Def Con 26 said security flaws in police body cameras could enable hackers to edit and delete footage and weaponize the devices with malware.

Police body cameras are riddled with security vulnerabilities that could allow a hacker to remotely tweak or delete footage, track the cops wearing them, or weaponize the bodycam by installing malware such as ransomware that could be spread to other devices in a police station.

Josh Mitchell, aka @bx_lr, a consultant at the security firm Nuix, pointed out a plethora of critical security issues with police body cameras during his presentation at Def Con. After analyzing bodycams by Vievu, Patrol Eyes, Fire Cam, Digital Ally, and CeeSc, Mitchell said some of the vulnerabilities that could be remotely exploited were appalling.

“These videos can be as powerful as something like DNA evidence, but if they’re not properly protected, there’s the potential that the footage could be modified or replaced,” Mitchell told Wired. “I can connect to the cameras, log in, view media, modify media, make changes to the file structures. Those are big issues.”

All the body cameras except CeeSc have Wi-Fi radio, and they broadcast unencrypted identifying information about the devices. An attacker with a long-range antenna could track the cops wearing the bodycams. And that doesn’t mean track the location of a single officer, as multiple cameras being activated at the same time could potentially warn the attacker that cops were coordinating a raid.

The model of Vievu and Patrol Eyes cams that Mitchell analyzed could generate their own Wi-Fi access points. Sadly, they were not secured properly to prevent other devices from connecting to the camera’s private network.

Mitchell found flaws in all five bodycams, ranging from the lack of digital code-signing to relying on easy-to-find default credentials. This opens the door to evidence tampering. An attacker, for example, could connect to the bodycam and manipulate or even delete video footage.

Wired consulted ACLU Senior Policy Analyst Jay Stanley, who said, “The fact that some law enforcement evidence-collecting devices can be hacked evokes some true nightmare scenarios.” He suggested that if the bodycams don’t have strong security standards, then the devices should not be used.

Attackers could infect bodycams with malware

The failure to cryptographically sign firmware updates means cops’ bodycams could even be used as an attack vector.

Wired reported:

Mitchell even realized that because he can remotely access device storage on models like the Fire Cam OnCall, an attacker could potentially plant malware on some of the cameras. Then, when the camera connects to a PC for syncing, it could deliver all sorts of malicious code: a Windows exploit that could ultimately allow an attacker to gain remote access to the police network, ransomware to spread across the network and lock everything down, a worm that infiltrates the department's evidence servers and deletes everything, or even cryptojacking software to mine cryptocurrency using police computing resources.

Mitchell told the vendors about the issues, and he hopes that fixes for all the flaws will be deployed.

“These are full-feature computers walking around on your chest, and they have all of the issues that go along with that,” Mitchell warned.

Related:
SUBSCRIBE! Get the best of CSO delivered to your email inbox.