In yet another example of absent security controls, troves of police body camera footage were left open to the world for anyone to siphon off, according to an infosec biz.
Jasun Tate, CEO of Black Alchemy Solutions Group, told The Register on Monday he and his team had identified about a terabyte of officer body cam videos, stored in unprotected internet-facing databases, belonging to the Miami Police Department, and cops in other US cities as well as places abroad. The operators of these databases – Tate suggests there are five service providers involved – work with various police departments. The footage apparently dates from 2018 to present.
"Vendors that provide services to police departments are insecure," said Tate, adding that he could not at present identify the specific vendors responsible for leaving the archive freely accessible to the public. Below is an example body-cam video from the internet-facing data silo Tate shared on Twitter.
What is more distrubing about 1 terrabyte of police body cam videos from 2018-present that we just found on the darknet is that @MiamiPD and the other cities DAs are going to have a long day when they finally realize the 5 IT service providers they use are no #Infosec aware. pic.twitter.com/G9Kn5aBunC— #CyberRonin #MetaHuman Paying Your Attention (@bitsdigits) June 30, 2019
Tate said he came across the files while doing online intelligence work for a client. While searching the internet, he said his firm came across a dark-web hacker forum thread that pointed out the body cam material sitting prone on the internet. Following the forum's links led Tate to police video clips that had been stored insecurely in what he described as a few open MongoDB and mySQL databases.
For at least the past few days, the footage was publicly accessible, we're told. Tate reckons the videos will have been copied from the databases by the hacker forum's denizens, and potentially sold on by now.
According to Tate, the Miami Police Department was notified of the findings. A spokesperson for Miami PD said the department is still looking into these claims, and won't comment until the review is completed.
Tate posted about his findings on Saturday via Twitter. The links to databases he provided to The Register as evidence of his findings now return errors, indicating the systems' administrators have taken steps to remove the files from public view.
The incident echoes the hacking of video surveillance biz Perceptics in terms of the sensitivity of the exposed data. The Perceptics hack appears to be more severe because so much of its internal data was stolen and posted online. But that could change if it turns out that much of the once accessible Miami body cam footage was copied and posted on other servers. ®