• United States



Police body cameras came preloaded with Conflickr

Nov 16, 20155 mins
Data and Information SecuritySecurity

Some Martel body cameras came with an unpleasant surprise...the Confickr worm. Also a police department body camera policy scoreboard was released.

Although Conficker is old, it’s still around as cleaning up botnets takes years to complete. In a new twist, iPower Technologies reported receiving multiple police body cams that came preloaded with the Conficker worm.

The body cams were Martel Electronics Frontline Cameras with GPS, which are “sold and marketed as a body camera for official police department use.” Martel said of its “elite video cameras” meant for police departments:

We provide a military grade body camera at a price that fits your budget. The US Military has deployed them to Iraq, Afghanistan and Kuwait. Customers include the US Air Force, Navy, BLM, Border Patrol, US Forest service, Coast Guard, FEMA, ATF, Homeland Security, Lockheed Martin and thousands of Sheriff and Police departments in all 50 states. We have over 5,000 state and local law enforcement agencies as customers.

iPower is working on a cloud-based storage system so police departments and government agencies can store and search body cam footage. After plugging an infected body cam into a PC, it naturally attempted to spread to other machines on the iPower lab network as well as to make “several phone home calls to Internet sites.” iPower tried to report the vulnerability to Martel, but Martel Electronics has yet to officially acknowledge it. Although it was first submitted to Virus Total six years and 10 months ago, iPower submitted Conficker again.

There was no reply regarding the preloaded Conficker after I tried Martel’s “ask a question” chat feature. There was no mention of preloaded viruses among Martel’s seven questions to ask before buying “military grade” body cams. Even after checking “accessories,” there was no mention of Martel tossing in Conficker for free. The police body camera brochure (pdf) mentions a docking station so “Transporter” can “automatically remove the videos, photos and supervisor log notes.” Again, no mention of plugging in so “Transporter” can send unprotected computers or servers back to 2008 with Conficker.

The brochure does, however, mention that “if you accidentally turn off your camera, or an event was cut short, our system catches an additional 10 minutes after de-activation. (Optional) We felt this was a necessity.” It seems like if it was a “necessity” then it wouldn’t come with an option to turn recording off…and that takes us to varying police department body camera policies.

Police department body camera policy scoreboard

Leadership Conference and Upturn recently released a body camera policy scorecard for U.S. police departments. They looked at the 15 largest police departments that either currently use or soon will equip body cameras; they also hand-selected 10 other police departments based on facts like receiving DOJ funding for the cams, being in the national spotlight for questionable behavior, or having adopted promising policies. For example, “Ferguson PD has the least well thought out policies of those that we reviewed: it received the lowest mark in every one of our eight scoring criteria.”

CDT’S Harley Geiger explained, “The scorecard ranks agencies’ body cam policies based on eight criteria derived from the Leadership Conference’s Civil Rights Principles on Body Worn Cameras, several of which are dedicated to protecting privacy.”

Police departments were rated according the eight criteria below:

  1.        Makes the department policy publicly and readily available
  2.        Limits officer discretion on when to record
  3.        Addresses personal privacy concerns
  4.        Prohibits officer pre-report viewing
  5.        Limits retention of footage
  6.        Protects footage against tampering and misuse
  7.        Makes footage available to individuals filing complaints
  8.        Limits the use of biometric technologies

A green check indicates that the police’s policy “fully satisfies” the criteria; a yellow circle means it “partially satisfies” criteria and a red X means the policy “either does not address the issue, or policy runs directly against our principles.”

Some of the key findings included “three major departments — Philadelphia PD, Detroit PD, and San Antonio PD — either don’t have, or have never released, a body-worn camera policy, even though they have started to send cameras into the field in pilot programs.” Additionally, “even when camera policies are in place, eight of the 12 largest departments we reviewed do not make their policies publicly and readily available on the department’s website. Many of the policies we analyzed were found externally on other websites.”

“Of the 25 departments, only one–Baltimore–limits facial recognition technology being used in body cameras,” wrote Cato at Liberty’s Matthew Feeney. “None of the 25 departments explicitly prohibit officers from reviewing body camera footage before making an initial statement or report for any incident. The majority of the departments do not have body camera policies publicly available on their websites. Only two of the departments (Parker, Colorado and Washington, D.C.) allow people filing a police misconduct complaint to view at least some of the relevant body camera footage.”

He added that some of the poor police policies have received DOJ funding for the cams; “LAPD, for example, was awarded $1 million for body cameras despite requiring officers involved in a fatal use-of-force incident to view body camera footage before making a statement.”

Police body cams could potentially help provide transparency, but the Civil Rights Principles on Body Worn Cameras pointed out, “police-operated cameras are no substitute for broader reforms of policing practices. In fact, cameras could be used to intensify disproportionate surveillance and enforcement in heavily policed communities of color. Without carefully crafted policy safeguards in place, there is a real risk that these new devices could become instruments of injustice, rather than tools for accountability.”

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.