Exploding body-camera maker says its software is now less hackable

Who else gets the pictures?
Who else gets the pictures?
Image: Miami-Dade PD handout via Reuters
We may earn a commission from links on this page.

After a body camera worn by a New York Police Department officer burst into flames, the NYPD immediately pulled almost 3,000 of its Vievu model LE5 units out of service. Some experts say battery fires, while potentially dangerous, are relatively rare and might be among the industry’s lesser worries. 

Vievu, which is owned by Scottsdale, Arizona-based Axon, introduced the LE5 in October 2017, listing among its features a lithium-ion battery that can power more than 12 hours of recording time. Lithium-ion battery fires—though still uncommon—have grounded aircraft, incinerated Teslas, destroyed iPhones, sparked blazes at landfills and recycling centers, and blown teeth out of vapers’ mouths.

“NYPD is contracting with an independent third-party forensic consultant to conduct an investigation on the reported camera issue and will share the findings with Axon,” Axon spokesperson Carley Partridge said in an email. “We are committed to the success of the NYPD’s body-worn camera program and will work closely with them over the following months to ensure this is resolved quickly and safely.” She added that Axon is “conducting a thorough analysis of Vievu’s manufacturing supply chain process to ensure that we are providing the highest quality products and services to any agency that has purchased a Vievu camera.”

There are other issues surrounding body cams that some experts find troubling. The devices have done little to curb the types of police abuses that first led to their adoption by US law-enforcement agencies and lingering unease remains about the security of cloud storage.

Beyond a battery issue?

A host of technical vulnerabilities were described by Josh Mitchell on Aug. 12, 2018 at the DEF CON 26 conference in Las Vegas. Mitchell is a principal cybersecurity consultant for Nuix, a multinational digital forensics firm serving government and law-enforcement clients that specializes in reverse engineering, tool development, and vulnerability assessment services. He said he tested body cams and software from five companies, including a model in Vievu’s LE5 line, and contends cameras across the industry don’t do enough to keep hackers at bay.

Were a hacker to gain access to any of the systems—including the Vievu model pulled by the NYPD, Mitchell says—they would theoretically be able to track an individual officer’s location, alter or delete stored body-cam footage, or distribute malware throughout a department’s entire network. ”It was very surprising to find out how, on some of these products, the evidence on the camera can be modified with just a basic understanding of how normal stuff works,” Mitchell told Quartz. “If you know how to use FTP [file transfer protocol], which is a standard tool used by everybody, you can log into one of these cameras and modify or delete the videos on them.”

He said none of the cameras he examined encrypted the uploaded files or gave them a digital signature to certify that the video hadn’t been tampered with, adding, ”The MP4 media files on Vievu cameras are just MP4 files.”

In response to questions about Mitchell’s statements, NYPD spokesperson Devora Kaye told Quartz that the department “takes a layered approach to information security as it relates to our body-worn camera program, at the network, application, and camera level. The integrity of our video data was among the key considerations that informed the design of our body camera system.” She did not elaborate further.

Seeing built-in problems

The Vievu LE5 models, like many body cams, have built-in wireless hotspots so officers can interact with video evidence in the field, said Mitchell. The LE5 and others typically have companion smartphone apps used by police. Mitchell said he found certain features within the systems lacked adequate access controls and required officers to be diligent about changing default passwords.

“If you connect to the wifi, you can view all the evidence on them,” said Mitchell. “You just need the password for the wifi, and wifi’s been broken for years,” adding that “there are many attacks out there [designed] to break into wireless access points”

Vievu says its “commitment to security and compliance is unparalleled in the industry.” A July 2018 white paper posted on its website says: “All video files recorded by VIEVU cameras are authenticated using a FIPS 140-2 level 1 compliant Digital Signature process. Authentic videos are marked Valid in the video metadata.” The company also states that its cloud infrastructure is hosted on Microsoft Azure Government servers that are “completely isolated” and purpose-built to serve only state, local, and federal government customers.

Partridge, the Axon spokesperson, said “the issues [Mitchell raised] have already been addressed across the Vievu customer-base.”

“As part of our regular software releases, we make ongoing security improvements, which include items related to security research like the work conducted related to the DEF CON 26 conference,” she said. “The latest version of VeriPatrol, version,  was released to customers on Aug. 14, 2018…This update addresses the wifi issue that was discussed during Josh Mitchell’s presentation at Defcon.”

“It seems like they fixed many of the issues,” Mitchell said in response. “However, unsigned evidence and unsigned  firmware is still an issue.”

What’s happening on the streets

Although certain hacks may be doable in theory, Grant Fredericks, a certified forensic video analyst and a video sciences instructor at the FBI National Academy in Quantico, Virginia, says he doesn’t see it happening.

“I look at body-worn video around North America every day, and I’m in contact with law-enforcement agencies around the country,” Fredericks told Quartz. “To my knowledge, there’s never been a case where a camera has been breached in the way depicted [by Mitchell.]”

While “any data that is transmitted wirelessly has a vulnerability,” federal encryption standards keep police data well secured, Fredericks said, adding that exploiting the software weaknesses pointed out by Mitchell—even if they had not been addressed by the manufacturers—would still be incredibly difficult for someone to pull off outside of a laboratory setting.

However, in January 2017, Romanian hackers broke into a police computer network in Washington, DC and disabled two-thirds of the Metropolitan Police Department’s outdoor surveillance cameras days before the 2017 presidential inauguration. That same month, a police department in the Dallas, Texas area lost years worth of video evidence to hackers. Baltimore, Maryland’s 911 dispatch system was shut down by hackers in March of this year; the Atlanta PD lost archived video and in-vehicle camera footage to a hack, also in March.

Asked if any piece of technology could ever truly be considered unhackable, Mitchell laughed and replied, “Uh, no.”