Cameras operated by three area law enforcement agencies were left open to hackers and in at least one case could have been accessed by anyone with a Web browser, a national online privacy group revealed last week.
The St. Tammany Parish Sheriff’s Office, Kenner Police Department and Jefferson Parish Sheriff’s Office were operating devices known as automatic license plate readers that were vulnerable to online snooping, according to the San Francisco-based Electronic Frontier Foundation.
A malicious user could have used them to track drivers’ whereabouts or even to harm the agencies’ camera networks.
All three agencies took action after the security flaws were revealed in early 2015, the group said, but the incident raised questions about drivers’ privacy.
“When you have this data out there, it puts you at risk,” said Dave Maass, a researcher for the group. “What this shows is that the police who believe this is such a wonderful tool aren’t keeping the tool maintained properly.”
At least 15 license plate readers in Kenner, one elsewhere in Jefferson Parish and 19 in St. Tammany Parish were vulnerable to attack, according to an online map created by the group.
The license plate readers are used by law enforcement agencies across the country to seek out stolen cars and aid criminal investigations. Each one can spot hundreds of cars an hour, logging where they were seen and when. Privacy advocates have warned that they could be used to track innocent drivers.
“In aggregate, the information that these things are collecting can reveal a lot about you: where you go to church, what doctors you see, where you sleep at night,” Maass said. “When that stuff is out there where people who aren’t even police officers can access it, then this stuff starts to get a little more dangerous.”
The group said that in many cases passwords that protect cameras were readily available to anyone with the technical skills to use an online protocol called Telnet. In other cases, just a Web browser would have been needed to view a rolling stream of license plate numbers and pictures.
The group posted a redacted screenshot from a camera it said was operated by JPSO near a church in Woodmere that included a FedEx van, a sedan and an SUV. A camera in Kenner, also easily accessed on the Web, revealed drivers’ plates.
Spokesman George Bonnett said the St. Tammany Parish Sheriff’s Office acted quickly to secure its cameras when it was informed by the group of the security flaws and that there were no signs that anyone other than the privacy researchers had accessed them.
“I’m a driver in St. Tammany Parish, too,” Bonnett said. “There’s no indication ... that in the time period that we’re talking about ... anybody used it for any sort of nefarious purpose.”
Jefferson Parish Sheriff’s Office spokesman Col. John Fortunato said there may have been issues with one license plate reader, but he was not aware of any other vulnerable cameras in the agency’s far-reaching network of more than 100.
“Our cameras are on the Internet but only accessible from within the JPSO network,” Fortunato said.
Kenner Police spokesman Lt. Brian McGregor would only say that the department took “necessary action” to secure the flawed cameras.
Other cameras in places from California to Florida also were vulnerable to online snooping, according to the EFF. Most were sold by a company called PIPS Technology, which was acquired by 3M.
The company said in a statement to EFF that it stood behind the security features of its cameras, and that it is the responsibility of individual law enforcement agencies to change their default passwords.