EFF: New License Plate Reader Vulnerabilties Prove The Tech Itself is a Public Safety Threat

Automated license plate readers “pose risks to public safety,” argues the EFF, “that may outweigh the crimes they are attempting to address in the first place.”

When law enforcement uses automated license plate readers (ALPRs) to document the comings and goings of every driver on the road, regardless of a nexus to a crime, it results in gargantuan databases of sensitive information, and few agencies are equipped, staffed, or trained to harden their systems against quickly evolving cybersecurity threats. The Cybersecurity and Infrastructure Security Agency (CISA), a component of the U.S. Department of Homeland Security, released an advisory last week that should be a wake up call to the thousands of local government agencies around the country that use ALPRs to surveil the travel patterns of their residents by scanning their license plates and “fingerprinting” their vehicles. The bulletin outlines seven vulnerabilities in Motorola Solutions’ Vigilant ALPRs, including missing encryption and insufficiently protected credentials…

Unlike location data a person shares with, say, GPS-based navigation app Waze, ALPRs collect and store this information without consent and there is very little a person can do to have this information purged from these systems… Because drivers don’t have control over ALPR data, the onus for protecting the data lies with the police and sheriffs who operate the surveillance and the vendors that provide the technology. It’s a general tenet of cybersecurity that you should not collect and retain more personal data than you are capable of protecting. Perhaps ironically, a Motorola Solutions cybersecurity specialist wrote an article in Police Chief magazine this month that public safety agencies “are often challenged when it comes to recruiting and retaining experienced cybersecurity personnel,” even though “the potential for harm from external factors is substantial.” That partially explains why, more than 125 law enforcement agencies reported a data breach or cyberattacks between 2012 and 2020, according to research by former EFF intern Madison Vialpando. The Motorola Solutions article claims that ransomware attacks “targeting U.S. public safety organizations increased by 142 percent” in 2023.

Yet, the temptation to “collect it all” continues to overshadow the responsibility to “protect it all.” What makes the latest CISA disclosure even more outrageous is it is at least the third time in the last decade that major security vulnerabilities have been found in ALPRs… If there’s one positive thing we can say about the latest Vigilant vulnerability disclosures, it’s that for once a government agency identified and reported the vulnerabilities before they could do damage… The Michigan Cyber Command center found a total of seven vulnerabilities in Vigilant devices; two of which were medium severity and 5 of which were high severity vulnerabilities…
But a data breach isn’t the only way that ALPR data can be leaked or abused. In 2022, an officer in the Kechi (Kansas) Police Department accessed ALPR data shared with his department by the Wichita Police Department to stalk his wife.
The article concludes that public safety agencies should “collect only the data they need for actual criminal investigations.

“They must never store more data than they adequately protect within their limited resources-or they must keep the public safe from data breaches by not collecting the data at all.”

Read more of this story at Slashdot.

Walmart Announces Electronic Shelf Labels They Can Change Remotely

Walmart “became the latest retailer to announce it’s replacing the price stickers in its aisles with electronic shelf labels,” reports NPR.

“The new labels allow employees to change prices as often as every ten seconds.”

“If it’s hot outside, we can raise the price of water and ice cream. If there’s something that’s close to the expiration date, we can lower the price — that’s the good news,” said Phil Lempert, a grocery industry analyst…

The ability to easily change prices wasn’t mentioned in Walmart’s announcement that 2,300 stores will have the digitized shelf labels by 2026. Daniela Boscan, who participated in Walmart’s pilot of the labels in Texas, said the label’s key benefits are “increased productivity and reduced walking time,” plus quicker restocking of shelves…

As higher wages make labor more expensive, retailers big and small can benefit from the increased productivity that digitized shelf labels enable, said Santiago Gallino, a professor specializing in retail management at the University of Pennsylvania’s Wharton School. “The bottom line, at least when I talk to retailers, is the calculation of the amount of labor that they’re going to save by incorporating this. And in that sense, I don’t think that this is something that only large corporations like Walmart or Target can benefit from,” Gallino said. “I think that smaller chains can also see the potential benefit of it.”

Indeed, Walmart’s announcement calls the tech “a win” for both customers and their workers, arguing that updating prices with a mobile app means “reducing the need to walk around the store to change paper tags by hand and giving us more time to support customers in the store.” Professor Gallino tells NPR he doesn’t think Walmart will suddenly change prices — though he does think Walmart will use it to keep their offline and online prices identical.

The article also points out you can already find electronic shelf labels at other major grocers inlcuding Amazon Fresh stores and Whole Foods — and that digitized shelf labels “are even more common in stores across Europe.”

Another feature of electronic shelf labels is their product descriptions. [Grocery analyst] Lempert notes that barcodes on the new labels can provide useful details other than the price. “They can actually be used where you take your mobile device and you scan it and it can give you more information about the product — whether it’s the sourcing of the product, whether it’s gluten free, whether it’s keto friendly. That’s really the promise of what these shelf tags can do,” Lempert said.

Thanks to long-time Slashdot reader loveandpeace for sharing the article.

Read more of this story at Slashdot.

Red Hat’s RHEL-Based In-Vehicle OS Attains Milestone Safety Certification

In 2022, Red Hat announced plans to extend RHEL to the automotive industry through Red Hat In-Vehicle Operating System (providing automakers with an open and functionally-safe platform). And this week Red Hat announced it achieved ISO 26262 ASIL-B certification from exida for the Linux math library (libm.so glibc) — a fundamental component of that Red Hat In-Vehicle Operating System.

From Red Hat’s announcement:
This milestone underscores Red Hat’s pioneering role in obtaining continuous and comprehensive Safety Element out of Context certification for Linux in automotive… This certification demonstrates that the engineering of the math library components individually and as a whole meet or exceed stringent functional safety standards, ensuring substantial reliability and performance for the automotive industry. The certification of the math library is a significant milestone that strengthens the confidence in Linux as a viable platform of choice for safety related automotive applications of the future…

By working with the broader open source community, Red Hat can make use of the rigorous testing and analysis performed by Linux maintainers, collaborating across upstream communities to deliver open standards-based solutions. This approach enhances long-term maintainability and limits vendor lock-in, providing greater transparency and performance. Red Hat In-Vehicle Operating System is poised to offer a safety certified Linux-based operating system capable of concurrently supporting multiple safety and non-safety related applications in a single instance. These applications include advanced driver-assistance systems (ADAS), digital cockpit, infotainment, body control, telematics, artificial intelligence (AI) models and more. Red Hat is also working with key industry leaders to deliver pre-tested, pre-integrated software solutions, accelerating the route to market for SDV concepts.

“Red Hat is fully committed to attaining continuous and comprehensive safety certification of Linux natively for automotive applications,” according to the announcement, “and has the industry’s largest pool of Linux maintainers and contributors committed to this initiative…”

Or, as Network World puts it, “The phrase ‘open source for the open road’ is now being used to describe the inevitable fit between the character of Linux and the need for highly customizable code in all sorts of automotive equipment.”

Read more of this story at Slashdot.

Data Dump of Patient Records Possible After UK Hospital Breach

An anonymous reader shared this report from the Associated Press:

An investigation into a ransomware attack earlier this month on London hospitals by the Russian group Qilin could take weeks to complete, the country’s state-run National Health Service said Friday, as concerns grow over a reported data dump of patient records. Hundreds of operations and appointments are still being canceled more than two weeks after the June 3 attack on NHS provider Synnovis, which provides pathology services primarily in southeast London…

NHS England said Friday that it has been “made aware” that data connected to the attack have been published online. According to the BBC, Qilin shared almost 400GB of data, including patient names, dates of birth and descriptions of blood tests, on their darknet site and Telegram channel… According to Saturday’s edition of the Guardian newspaper, records covering 300 million patient interactions, including the results of blood tests for HIV and cancer, were stolen during the attack.

A website and helpline has been set up for patients affected.

Read more of this story at Slashdot.