In just 20 minutes this morning, an automated license-plate-recognition (ALPR) system with an IP address geolocated to Tennessee captured photographs and detailed information from nearly 1,000 vehicles as they passed by. Among them: eight black Jeep Wranglers, six Honda Accords, an ambulance, and a yellow Ford Fiesta with a vanity plate.
This trove of real-time vehicle data, collected by one of Motorola’s ALPR systems, is meant to be accessible by law enforcement. However, a flaw discovered by a security researcher has exposed live video feeds and detailed records of passing vehicles, revealing the staggering scale of surveillance enabled by this widespread technology.
More than 150 Motorola ALPR cameras have exposed their video feeds and leaking data in recent months, according to security researcher Matt Brown, who first publicized the issues in a series of YouTube videos after buying an ALPR camera on eBay and reverse engineering it.
As well as broadcasting live footage accessible to anyone on the internet, the misconfigured cameras also exposed data they have collected, including photos of cars and logs of license plates. The real-time video and data feeds don’t require any usernames or passwords to access.
Alongside other technologists, WIRED has reviewed video feeds from several of the cameras, confirming vehicle data—including makes, models, and colors of cars—have been accidentally exposed. Motorola confirmed the exposures, telling WIRED it was working with its customers to close the access.
Over the last decade, thousands of ALPR cameras have appeared in towns and cities across the US. The cameras, which are manufactured by companies such as Motorola and Flock Safety, automatically take pictures when they detect a car passing by. The cameras and databases of collected data are frequently used by police to search for suspects. ALPR cameras can be placed along roads, on the dashboards of cop cars, and even in trucks. These cameras capture billions of photos of cars—including occasionally bumper stickers, lawn signs, and T-shirts.
“Every one of them that I found exposed was in a fixed location over some roadway,” Brown, who runs cybersecurity company Brown Fine Security, tells WIRED. The exposed video feeds each cover a single lane of traffic, with cars driving through the camera’s view. In some streams, snow is falling. Brown found two streams for each exposed camera system, one in color and another in infrared.
Broadly, when a car passes an ALPR camera, a photograph of the vehicle is taken, and the system uses machine learning to extract text from the license plate. This is stored alongside details such as where the photograph was taken, the time, as well as metadata such as the make and model of the vehicle.
Brown says the camera feeds and vehicle data were likely exposed as they had not been set up on private networks, possibly by law enforcement bodies deploying them, and instead exposed to the internet without any authentication. “It’s been misconfigured. It shouldn’t be open on the public internet,” he says.
WIRED tested the flaw by analyzing data streams from 37 different IP addresses apparently tied to Motorola cameras, spanning more than a dozen cities across the United States, from Omaha, Nebraska, to New York City. Within just 20 minutes, those cameras recorded the make, model, color, and license plates of nearly 4,000 vehicles. Some cars were even captured multiple times—up to three times in some cases—as they passed different cameras.
