BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Whoops, Anyone Could Watch California City's Police Surveillance Cameras

This article is more than 9 years old.

A few years back, Thomas ‘T.K.’ Kinsey was having a late, inebriated night in downtown Redlands, a far-flung suburb of Los Angeles. He started climbing a fountain, making the kind of bad decision a late-night carouser makes. Suddenly, he heard a voice coming from above telling him to stop. It wasn’t a good angel on his shoulder; it was a member of the police department speaking to him through a speaker in a city surveillance camera. Redlands has over 140 surveillance cameras around the 70,000-person town that have helped the police spot and stop drunk drivers, brawlers, vandals, and people illegally smoking in parks, according to a case study on the site of Leverage Information Systems, the company that provided the camera system. After his encounter being watched by the cameras, Kinsey, a security engineer, decided to gaze back at the system. He and Dustin Hoffman, his boss at IT firm Exigent Systems, discovered that the police were not the only ones who could peer through the eyes of the city's cameras.

The cameras were deployed as a mesh network, with camera nodes popping up as "available wireless networks" dubbed with names that were far from stealth, such as "RPD - West End." The cameras used a proprietary mesh protocol to communicate but were not password-protected. Hoffman and Kinsey said that the protocol was fairly easily reverse-engineered and that tapping into the network was then easy, requiring no specialized hardware, and allowing anyone to have a police-eye's view of the town. "All you need is a little Linux knowledge and some $20 Wi-Fi hardware," says Hoffman. He and Kinsey mapped what the cameras watched, including the entrance to an adult video store.

"It would have been trivial to have made all the feeds public and stream them online for anyone to watch," Hoffman continued. It could have been like the "SeeChange" cameras envisioned by Dave Eggers in The Circle, where any space with a camera becomes part of a public surveillance system available to the public at large. But tapping into 'publicly broadcast networks' like that raises legal issues; Google is currently fighting off a class-action lawsuit for doing something similar when its Street View cars collected data off open Wi-Fi networks as they drove around mapping streets. Google has argued that intercepting information broadcast on an open wireless network is not equivalent to wire-tapping, but a federal court didn't buy the argument. The case is ongoing.

The Redlands police department got wind of the presentation however. Seventy-two hours before Hoffman and Kinsey discussed the flaw at security conference Defcon on Friday, the city's cameras suddenly became a little more private. The city enabled WEP encryption, according to the researchers, so that the camera network now requires a password to sign on. "Our cameras only capture something happening in public view, so we weren't incredibly concerned," said Redlands police operations commander Chris Catren. "But when we saw teasers for the presentation, we encrypted all the feeds out of an abundance of caution. There’s a high degree of support from the community and we wanted to avoid any fall-out."

Catren also said the police department wouldn't want people with criminal intent using the public camera feed to case homes or businesses or track the police force. However, the encryption on the cameras is not particularly secure. "WEP has been broken for a decade," said Kinsey. "It's a legal barrier only at this point."

"It's like putting a diary lock on your front door," continued Hoffman. LeverageIS camera networks are not just in Redlands but in several other cities around the U.S. Hopefully the security is better in other cities, but if you live in one and you are tech-savvy, you might want to check. Hoffman says the network is using Firetide for its mesh network technology in Redlands, and that he was impressed with the box itself which includes strong certificate-based encryption. The problem is that the city is not using the full security options available from the devices. "Firetide is a product I would absolutely use, but whoever installed these cameras failed to flip the switch that makes their network fully secure," said Hoffman.

The problem was not limited to making law enforcement's surveillance available to all. Someone who joined the network could also have likely figured out how to project video into it, or jam it and take the cameras offline. "They could show a loop or Godzilla stomping down the street," said Hoffman. Or they could frame someone, Minority-Report style, inserting footage of someone committing a crime they hadn't.

“You have to feel bad for the municipality. They see technology as a panacea to fix the police force," said Hoffman. The police department cites a constrained budget and the cameras being important "to accomplish more with less." Commander Catren described a cash-strapped police force that relies on cameras to reduce crime. Their feeds recently captured a murder, solved by sending photos of the suspect out on social media for identification. "But whoever set this up screwed up," says Hoffman. Apparently it's not the first time; in an interview with Government Security News last year, retired police lieutenant Russ Dalzell said the Redlands police department "had blundered badly during two previous attempts to install a city-wide surveillance system," before partnering with LeverageIS for a third, ostensibly successful attempt.

In 2011, Dalzell and LeverageIS employee Roy Leblond co-authored an article in Law Officer Magazine about the deployment of cameras in Redlands. They warned, "Reader beware: Establishing a UDP multicast network for video transportation is complex and requires specialized engineering capabilities." Apparently those capabilities were lacking. Yet last month, when Redlands City Council decided to hand off management of the cameras to the private sector, it awarded a $30,000 contract to Russ Dalzell. He needs to make the cameras more secure, but judging from his track history, he may not be up to the task.

As for seeing what the watchers see, someone who isn't on the police force who wants access to the cameras -- and doesn't want to hack them -- can join Redlands privacy council. The members have the right to view footage from the cameras at any time. "We’re not trying to keep this system from anybody," says Commander Catren. "We want as much community support and trust in the system as possible."