EFF: License Plate Readers Are Easy to Hack, Abused for Mass Surveillance

[Karamjit]

ALPRs have weak security measures, as any other IoT devices

The Electronic Frontier Foundation (EFF) has published a detailed report, warning law enforcement agencies across the country about the dangers of deploying automatic license plate readers (ALPRs) that do not employ any security measures.

The report, which only analyzes a small set of ALPR systems exposed online, details the common pitfalls to which most Internet of Things (IoT) devices fall these days.

Just like CCTV cameras, smart-fridges, and kettles, ALPR systems, even if they come with basic security features, most of the times are left in their default configuration.

Most ALPRs are accessible via the Internet, and if not sporting a Telnet or Web-access password, then using either the default one or an easy to guess alternative that would barely survive a brute-force attack more than 10 minutes.

In fact, Dan Matherly, Shodan's creator, has presented on this topic at many security conferences across the US, exposing thousands of such ALPR systems. Some other security researchers have also been able to access these systems, sometimes while they were creating photographic evidence of cars passing through their area.

US law enforcement agencies have a hunger for private data

Besides detailing a scenario that many security aficionados have very well become accustomed to (improper configuration of IoT devices), the EFF also goes on to warn about the bureaucracy that surrounds the agencies that deploy them, and the US states' lack of interest when protecting citizen privacy.

"ALPR systems are a form of mass surveillance, plain and simple" say EFF's Dave Maass and Cooper Quintin. "This technology captures information on every driver, regardless of whether they are under suspicion."

The EFF also goes on to cite a case from 2014 when the foundation's researchers asked for public records from the Los Angeles Police Department, but they were denied because police in California can withhold data if part of an investigation. Apparently they were investigating all cars in California at the same time.

These and many more other scenarios where automatic license plate readers have been exposed online or abused by government agencies for surveillance purposes can be read in EFF's full inquiry on the matter.

From