Security Consultant: Police Bodycam Footage Can Be Hacked, Modified
Vulnerabilities in the software for five popular police bodycam brands allow hackers to delete or manipulate video footage, says a security consultant.
The software used for many popular police bodycam brands are vulnerable to remote digital attacks, including ones that could result in the modification of captured footage, according to a security consultant.
Josh Mitchell, a consultant at security firm Nuix, analyzed five body camera models from companies that market their devices to law enforcement groups in the United States. He claims all of the devices he tested had security issues that could allow a hacker to track their location or manipulate the software, reports Wired.
Mitchell also found that in all but one of the devices, certain vulnerabilities in the software allows for hackers to delete footage altogether or download and edit footage and then re-upload it, leaving behind no signs of a change.
Furthermore, Mitchell alleges some of the sophisticated models that contain radios for Bluetooth or cellular data connectivity have weaknesses that can allow hackers to stream live footage of the cameras.
“With some of these vulnerabilities—it’s just appalling,” said Mitchell. “I approached this research by trying to find industry trends that are prevalent across multiple devices. There are issues for each of the five devices I looked at that are specific to that device, but there are also trends in general across all of them. They are missing many modern mitigations and defenses.”
Mitchell fears the vulnerabilities may put law enforcement officials at risk. Many body cameras use predictable identifiers, allowing for a hacker with a long-range antenna to track police locations.
For example, said Mitchell, since body cameras are often only activated when police carry out certain operations, someone may recognize ten body cameras all activated in one localized area as a sign of a potential raid.
Additionally, Mitchell said the bodycams don’t have a cryptographic mechanism to confirm the validity of the video files. Consequently, when the devices sync with a cloud server or PC, there is no way to know that the camera footage is intact.
“I haven’t seen a single video file that’s digitally signed,” Mitchell said. “These videos can be as powerful as something like DNA evidence, but if they’re not properly protected there’s the potential that the footage could be modified or replaced. I can connect to the cameras, log in, view media, modify media, make changes to the file structures. Those are big issues.”
Mitchell shared his findings with the five businesses and is currently working with some of them to address the security issues.
“It’s a complex ecosystem and there are a lot of devices out there with a lot of problems,” Mitchell added. “These are full-featured computers walking around on your chest, and they have all of the issues that go along with that.”