Hackers can infiltrate police body cameras to tamper with evidence

It is possible that crucial recordings could be modified or deleted due to vulnerabilities in body cam software.

police-thumb.jpg
File Photo

The use of body cameras by law enforcement is a controversial subject. While such technologies can help protect police officers by deterring inappropriate physical behavior and also give citizens who have been unjustly accused of crimes some means of evidence to the contrary, the issue of transparency around such footage is still in question.

A new, proposed policy, for example, will mandate that LAPD officers must release footage within 45 days, which will turn on its head current stipulations that footage is withheld unless critical to a court case.

Studies suggest that body cams have little effect on police abuse but footage may prove useful in criminal prosecutions, leading to the rapid adoption of such technologies.

Such technologies do not come without risk, however, and now it seems this potential evidence is now at risk of modification or outright deletion due to a multiple of vulnerabilities in body camera software.

Speaking at DefCon in Las Vegas, Josh Mitchell, Principal cybersecurity Consultant at Nuix outlined a variety of ways in which footage can be accessed remotely, potentially leading to the compromise of evidence.

As reported by Wired, Mitchell analyzed body camera models marketed specifically for law enforcement purposes by Axon's Vievu, Patrol Eyes, Fire Cam, Digital Ally, and CeeSc.

In all cases with the exception of Digital Ally, security flaws existed which permitted the researcher to cause havoc, including deleting footage outright, editing objects out of content, make changes to file structures, and re-uploading modified footage silently and covertly.

TechRepublic: Smartphone fingerprint sensor checks body temperature to boost biometric security

The security issues relating to these devices went deeper, as Mitchell also uncovered security problems associated with mobile apps, software, and cloud services that the body cameras connect with, as well as the widespread use of easy-to-guess and default credentials.

None of the devices tested uses cryptographic protections, and not a single video file was digitally signed.

If law enforcement agencies wish to use technology to gather evidence, the lack of signing is a serious issue.

Without being able to sign off the footage, video content cannot be validated properly or issued with timestamps -- which could call evidence into question.

Alternatively, threat actors could modify footage and there would be no way to detect this kind of tampering.

CNET: Armed police in London to wear head-mounted cameras

Police officers could also be put in danger due to another set of security issues. With the exception of the CeeSc model, all of the cameras tested have Wi-Fi radio capabilities and failed to properly mask the IP addresses linked to the equipment.

This means an attacker could track the location of the wearer, which is a serious security issue for the police, especially if they are in the middle of undercover operations. IP addresses could also be tracked for upticks in body camera activity which may suggest planned raids.

It may even be possible to install malware on the body cams, which would allow attackers to potentially crash devices, cause disruption, or even conduct surveillance of their own.

Mitchell deemed the security problems as "appalling," and told the publication that many of these devices are missing modern security protections and mitigations to prevent cyberattack.

See also: 25 Android smartphone models contain severe vulnerabilities off the shelf

Mitchell disclosed his findings to the vendors. Axon is in the process of issuing a fix to resolve the Vievu bugs, Patrol Eyes is currently evaluating the findings, and Fire Cam told Wired that the device tested by the researcher has been discontinued. Advanced Plus Group has patched the CeeSc device based on the research.

ZDNet has reached out to Digital Ally and will update if we hear back.

Previous and related coverage