1TB of police body camera videos found lounging around public database • DigitalMunition
In yet another example of absent security controls, an infosec biz claims it found a trove of sensitive law enforcement data open to public view – specifically, archives of cop body cam footage.
Jasun Tate, CEO of Black Alchemy Solutions Group, told DigitalMunition on Monday he and his team had identified about a terabyte of officer body cam videos, stored in unprotected internet-facing databases, belonging to the Miami Police Department and cops in other US cities and places elsewhere. The operators of these databases – Tate suggests there are five service providers involved – work with various police departments, and the footage apparently dates from 2018 to present.
"Vendors that provide services to police departments are insecure," said Tate, adding that he could not at present identify the specific vendors responsible for leaving the archive freely accessible to the public. Below is an example body-cam video from the internet-facing data silo Tate shared on Twitter.
What is more distrubing about 1 terrabyte of police body cam videos from 2018-present that we just found on the darknet is that @MiamiPD and the other cities DAs are going to have a long day when they finally realize the 5 IT service providers they use are no #Infosec aware. pic.twitter.com/G9Kn5aBunC
— #CyberRonin #MetaHuman Paying Your Attention (@bitsdigits) June 30, 2019
Tate said he came across the files while doing online intelligence work involving open sources on behalf of a client. While searching the internet, he said his firm came across police body camera video clips that had been stored insecurely in what he described as a few open MongoDB and mySQL databases.
For at least the past few days, the footage was publicly accessible. A link pointing to the exposed body cam material was also visible to subscribers in a particular dark-web hacker forum, Tate said. He reckons the videos have been copied from the databases, and sold on, as a result.
According to Tate, the Miami Police Department was notified of the findings. A spokesperson for Miami PD said the department is still looking into these claims, and won't comment until the review is completed.
Tate posted about his findings on Saturday via Twitter. The links to databases he provided to DigitalMunition as evidence of his findings now return errors, indicating account administrators have taken steps to remove the files from public view.
The incident echoes the hacking of video surveillance biz Perceptics in terms of the sensitivity of the exposed data. The Perceptics hack appears to be more severe because so much of its internal data was stolen and posted online. But that could change if it turns out that much of the once accessible Miami body cam footage was copied and posted on other servers. ®
Sponsored:
M3 - The ML, AL and Analytics Conference from DigitalMunition
Gloss