As the public and police rush to embrace body cams, they may have overlooked a key point. What about security? Can body cameras be hacked? If they can, what would be the results?
These questions only raise more questions about these cameras. The first, and possibly the most important question, must be; who would control how they are used? Should law enforcement officers be required to always have them on? Do we really want to watch police officers eat donuts or use the restrooms? If not, we must allow them some control over these cameras. In other words, they must have the ability to turn them on and off. That, itself, could lead to a number of problems. Officer Lewis was wearing a body cam when she shot a suspect in the head in New Orleans. That should have made it easy to figure out if her actions were justified or not, right? Unfortunately, she had forgotten to turn her camera on. The incident may have developed too quickly for her to remember to do so, who knows? In any event, despite having a body cam, there is no record of the event.
Even if officers were not able to turn a camera on and off, what would happen if they put on a coat ‘by accident’ and covered the camera? Would they even know if a camera had technical problems and was not recording or pointed in the wrong direction? What if they forgot to charge it? In other words, there is nothing foolproof about making the police wear body cameras. However, there are far more troubling considerations than these.
Where would all of these videos be stored and who would be allowed to look at them? We could be talking about hundreds or thousands of videos a day, some of which would have little law enforcement value. Who would need to review them and decide which were important or not? Where would police departments get the money to hire and train people to work only on video assessment?
As for storage, most IT people would probably suggest that the videos be uploaded to the cloud. Unfortunately, that’s where one of the hacking problems comes into play. Cloud security’s main problem is the man-in-the-middle attack where the videos are captured by someone between the sender and the cloud. The video may, in fact, make it to the cloud but not before a third party has made a copy for themselves. Even if the video makes it to the cloud for storage, and even if files stored there are encrypted, this does not mean they are completely safe. Whether the hack of Dropbox last October was a true hack or not doesn’t really matter here because a vulnerability in their software was discovered by a software development duo in August, 2013. This year, in March, another vulnerability was found. It’s axiomatic: All software has some vulnerability in it somewhere and, as a corollary, if vulnerabilities exist, the software (cloud storage site in this case) is vulnerable to attack.
To pursue this angle further, all of these cameras come with software, so it is only a matter of time before a vulnerability in the software is exposed. In such cases, the attacker would (just as in the case of baby monitors/nanny cams) take full control of the camera. It could be turned on and off at the attacker’s discretion and everything the camera sees the attacker can also see. Any network or computer that the camera is connected to will also be vulnerable to attack. Once the attacker gets network privileges, they will appear to be a valid network user and will have full control of anything (any camera, any video, any records) on the network.
Hacking could also begin with the police department’s computers, servers, or any mobile devices connected to the department’s network. Police departments have been hacked in the past and they will no doubt be hacked in the future. For some reason, they often seem to be the target of ransomware attacks (cryptolocker). An attacker simply needs to insert malware by making use of an endpoint. Once into the department’s network, it is only a matter of gaining administrative privileges and the attacker can get whatever they need. That is to say, they can gain access to a body cam through another device connected to the same network.
But why would a hacker want access to these videos? A number of reasons come to mind. First of all, an attacker could edit out (or in) any information that may suit their needs. They could put in a zombie attack if they wanted. They could completely alter the evidence in a case making someone appear innocent or guilty at their discretion. Just the idea that a network is vulnerable to such an attack may be enough to corrupt video evidence. From posts seen in the deep web, many would pay good money to have their criminal records removed or altered. This is not only a possibility. It has already been done. In addition, the fact that police records often contain large amounts of personal data also make them attractive to hackers.
Knowing what police in a specific area were doing, by using their body cams, a criminal could arrange to commit a crime unhindered. They could even use distraction as a technique by directing police to a false crime scene, leaving the criminals free to perpetrate whatever mischief they have in mind.
Although these threats may seem insubstantial now, they would certainly exist and may result in serious outcomes that police departments should not take lightly. A 2013 survey found that only half of all law enforcement agencies felt that that their computers and networks could withstand a cyber attack. However, what seems to emerge most from these statistics is that these agencies weren’t really sure how secure their systems were at all, since about 2/3 of them had never had their security systems professionally assessed. It is most likely, in such cases, that they would not even know if their networks have already been compromised. However, according to the report, of those attacks that were known about, “it appears that the primary aim of hackers was to gain access to the Records Management System (RMS), either to manipulate critical investigation data or remove criminal records.” With the addition of body cams, protection of police networks will become even more complicated since the number of endpoints on the networks will vastly increase. In other words, law enforcement agencies around the country would be effectively putting cyber targets on their backs.