EFF: New License Plate Reader Vulnerabilties Prove The Tech Itself is a Public Safety Threat

Automated license plate readers “pose risks to public safety,” argues the EFF, “that may outweigh the crimes they are attempting to address in the first place.”

When law enforcement uses automated license plate readers (ALPRs) to document the comings and goings of every driver on the road, regardless of a nexus to a crime, it results in gargantuan databases of sensitive information, and few agencies are equipped, staffed, or trained to harden their systems against quickly evolving cybersecurity threats. The Cybersecurity and Infrastructure Security Agency (CISA), a component of the U.S. Department of Homeland Security, released an advisory last week that should be a wake up call to the thousands of local government agencies around the country that use ALPRs to surveil the travel patterns of their residents by scanning their license plates and “fingerprinting” their vehicles. The bulletin outlines seven vulnerabilities in Motorola Solutions’ Vigilant ALPRs, including missing encryption and insufficiently protected credentials…

Unlike location data a person shares with, say, GPS-based navigation app Waze, ALPRs collect and store this information without consent and there is very little a person can do to have this information purged from these systems… Because drivers don’t have control over ALPR data, the onus for protecting the data lies with the police and sheriffs who operate the surveillance and the vendors that provide the technology. It’s a general tenet of cybersecurity that you should not collect and retain more personal data than you are capable of protecting. Perhaps ironically, a Motorola Solutions cybersecurity specialist wrote an article in Police Chief magazine this month that public safety agencies “are often challenged when it comes to recruiting and retaining experienced cybersecurity personnel,” even though “the potential for harm from external factors is substantial.” That partially explains why, more than 125 law enforcement agencies reported a data breach or cyberattacks between 2012 and 2020, according to research by former EFF intern Madison Vialpando. The Motorola Solutions article claims that ransomware attacks “targeting U.S. public safety organizations increased by 142 percent” in 2023.

Yet, the temptation to “collect it all” continues to overshadow the responsibility to “protect it all.” What makes the latest CISA disclosure even more outrageous is it is at least the third time in the last decade that major security vulnerabilities have been found in ALPRs… If there’s one positive thing we can say about the latest Vigilant vulnerability disclosures, it’s that for once a government agency identified and reported the vulnerabilities before they could do damage… The Michigan Cyber Command center found a total of seven vulnerabilities in Vigilant devices; two of which were medium severity and 5 of which were high severity vulnerabilities…
But a data breach isn’t the only way that ALPR data can be leaked or abused. In 2022, an officer in the Kechi (Kansas) Police Department accessed ALPR data shared with his department by the Wichita Police Department to stalk his wife.
The article concludes that public safety agencies should “collect only the data they need for actual criminal investigations.

“They must never store more data than they adequately protect within their limited resources-or they must keep the public safe from data breaches by not collecting the data at all.”

Read more of this story at Slashdot.

Aaron Swartz Day Commemorated With International Hackathon

Long-time Slashdot reader destinyland shares this announcement from the EFF’s DeepLinks blog:

This weekend, EFF is celebrating the life and work of programmer, activist, and entrepreneur Aaron Swartz by participating in the 2022 Aaron Swartz Day and Hackathon. This year, the event will be held in person at the Internet Archive in San Francisco on Nov. 12 and Nov. 13. It will also be livestreamed; links to the livestream will be posted each morning.

Those interested in attending in-person or remotely can register for the event here.

Aaron Swartz was a digital rights champion who believed deeply in keeping the internet open. His life was cut short in 2013, after federal prosecutors charged him under the Computer Fraud and Abuse Act (CFAA) for systematically downloading academic journal articles from the online database JSTOR. Facing the prospect of a long and unjust sentence, Aaron died by suicide at the age of 26….

Those interested in working on projects in Aaron’s honor can also contribute to the annual hackathon, which this year includes several projects: SecureDrop, Bad Apple, the Disability Technology Project (Sat. only), and EFF’s own Atlas of Surveillance. In addition to the hackathon in San Francisco, there will also be concurrent hackathons in Ecuador, Argentina, and Brazil. For more information on the hackathon and for a full list of speakers, check out the official page for the 2022 Aaron Swartz Day and Hackathon.
Speakers this year include Chelsea Manning and Cory Doctorow, as well as Internet Archive founder Brewster Kahle, EFF executive director Cindy Cohn, and Creative Commons co-founder Lisa Rein.

Read more of this story at Slashdot.