But when it comes to the devices themselves, the most crucial function they need to perform—beyond recording footage in the first place—is protecting the integrity of that footage so it can be trusted as a record of events. At the DefCon security conference in Las Vegas on Saturday, though, one researcher will present findings that many body cameras on the market today are vulnerable to remote digital attacks, including some that could result in the manipulation of footage.
Josh Mitchell, a consultant at the security firm Nuix, analyzed five body camera models from five different companies: Vievu, Patrol Eyes, Fire Cam, Digital Ally, and CeeSc. The companies all market their devices to law enforcement groups around the US. Mitchell’s presentation does not include market leader Axon—although the company did acquire Vievu in May.
In all but the Digital Ally device, the vulnerabilities would allow an attacker to download footage off a camera, edit things out or potentially make more intricate modifications, and then re-upload it, leaving no indication of the change. Or an attacker could simply delete footage they don’t want law enforcement to have.
‘I can connect to the cameras, log in, view media, modify media, make changes to the file structures. Those are big issues.’
Josh Mitchell, Nuix
Mitchell found that all of the devices he tested had security issues that could allow an attacker to track their location or manipulate the software they run. He also found problems with the ecosystem of mobile apps, desktop software, and cloud platforms that these cameras interact with. Additionally, Mitchell says that some of the more sophisticated models, which contain radios for Bluetooth or cellular data connectivity, also have vulnerabilities that can be exploited to remotely stream live footage off the cameras, or to modify, add, and delete the footage stored on the devices.
“With some of these vulnerabilities—it’s just appalling,” Mitchell says. “I approached this research by trying to find industry trends that are prevalent across multiple devices. There are issues for each of the five devices I looked at that are specific to that device, but there are also trends in general across all of them. They are missing many modern mitigations and defenses.”
Four of the five body cameras Mitchell tested have a Wi-Fi radio—the CeeSc WV-8 does not—and all of those broadcast identifying information about the device. Sensitive gadgets like smartphones have started randomizing these IDs, known as MAC addresses, to mask them. But the body cameras Mitchell looked at use predictable formats that give away too much information, like make and model plus a code for each device.
That means attacker could use a long range antenna to track cops. And as Mitchell points out, body cameras are often only activated when police carry out certain operations, or anticipate particular interactions. Noticing that 10 body cameras all activated at once, in a localized area, could foreshadow a raid, for instance. Mitchell fears that the exposure could pose a safety risk to law enforcement.
Mitchell says that all of the devices also have shortcomings in validating the code they run and the data they store. He found that none of the models he tested uses cryptographic signing to confirm the integrity of firmware updates, a common Internet of Things lapse. Without it, an attacker might develop malicious software that could be delivered to different devices in different ways based on their other vulnerabilities—through exposed desktop software or remote programming, for example. Once introduced, the devices will run any firmware without question.
More specifically problematic: The bodycams don’t have a cryptographic mechanism to confirm the validity of the video files they record either. As a result, when the devices sync with a cloud server or station PC, there’s no way to guarantee that the footage coming off the camera is intact. “I haven’t seen a single video file that’s digitally signed,” Mitchell says.
In addition to connecting to Wi-Fi networks, higher-end body cameras like the Vievu LE-5 Lite and the Patrol Eyes SC-DV10 also have the ability to generate a Wi-Fi access point of their own. That allows other devices to connect to the camera’s private network, but Mitchell found that these features had inadequate or missing authentication in the models he tested, so anyone could connect to a camera from a regular consumer device and access its data.
Mitchell says that the cameras all had some features that were missing key access controls, or relied on default credentials that were easy to determine. A proactive police department could update the defaults to something stronger, but even those could be undermined on certain devices. Many of the desktop platforms and mobile apps used with the cameras also had issues with access control.
“These videos can be as powerful as something like DNA evidence, but if they’re not properly protected there’s the potential that the footage could be modified or replaced,” Mitchell says. “I can connect to the cameras, log in, view media, modify media, make changes to the file structures. Those are big issues.”
‘The fact that some law enforcement evidence-collecting devices can be hacked evokes some true nightmare scenarios.’
Jay Stanley, ACLU
Mitchell even realized that because he can remotely access device storage on models like the Fire Cam OnCall, an attacker could potentially plant malware on some of the cameras. Then, when the camera connects to a PC for syncing, it could deliver all sorts of malicious code: a Windows exploit that could ultimately allow an attacker to gain remote access to the police network, ransomware to spread across the network and lock everything down, a worm that infiltrates the department’s evidence servers and deletes everything, or even cryptojacking software to mine cryptocurrency using police computing resources. Even a body camera with no Wi-Fi connection, like the CeeSc, can be compromised if a hacker gets physical access. “You know not to trust thumb drives, but these things have the same ability,” Mitchell says.
“The fact that some law enforcement evidence-collecting devices can be hacked evokes some true nightmare scenarios,” says Jay Stanley, senior policy analyst at the American Civil Liberties Union. “If there aren’t reliable ways of ensuring that such equipment meets strong security standards, then something is deeply broken. No police equipment should be deployed that doesn’t meet such standards.”
Mitchell disclosed his findings to the five vendors and has been working with them to fix the issues. Axon says it is in the process of patching the Vievu vulnerabilities. “We are pushing a fix out to all Vievu customers early next week to resolve the issue that impacts users who have not reset their default Wi-Fi password,” Axon spokesperson Steve Tuttle told WIRED. “As part of our regular release cycle, we are pushing several security updates next quarter, which include items identified by the security researcher. We have invested heavily in a dedicated information security team that works to ensure all Axon products are designed and built with security in mind.”
A Patrol Eyes spokesperson told WIRED that the company is aware of Mitchell’s findings and is evaluating them. Fire Cam president Rob Schield says the company discontinued the OnCall device two years ago and no longer supports it. Third parties continue to sell it, though. CeeSc, which is owned by Chinese manufacturer Advanced Plus Group, did not return WIRED’s requests for comment. Digital Ally also did not respond to inquiries.
Mitchell hopes that the companies fix the bugs he found, but his larger goal is to call attention to the shortcomings of a whole class of device—one that happens to play a vital role in public safety and social justice. “It’s a complex ecosystem and there are a lot of devices out there with a lot of problems,” Mitchell says. “These are full-feature computers walking around on your chest, and they have all of the issues that go along with that.”