Motorola’s automatic license plate recognition (ALPR) cameras were found connected to an unsecured server, enabling unrestricted access to live video streams and vehicle movement data. Security researcher Matt Brown uncovered the vulnerability and created video demonstrations showing how Motorola Reaper HD ALPR cameras, purchased on eBay, could transmit data openly to the internet.
Initially, Brown discovered that these cameras could be accessed on private networks without authentication. However, it later emerged that many cameras were misconfigured to transmit data publicly. Using Censys, Brown confirmed that the cameras’ IP addresses were discoverable, allowing anyone to view video streams and access data without authorization.
Some cameras broadcast color and infrared street footage, along with detailed license plate information. Will Freeman, a member of the DeFlock project, noted that over 170 data streams from these cameras were publicly accessible. By employing a custom script, researchers automatically collected information, including license plate numbers, vehicle models, colors, and timestamps with locations.
The presence of such devices at strategic urban locations enables the tracking of individuals’ regular routes, raising significant privacy concerns linked to the widespread use of ALPR systems. This incident highlights that even law enforcement agencies cannot always ensure the security of the data they gather.
Motorola Solutions stated that they are working on a firmware update to enhance device security. A company representative noted that Reaper HD cameras have not been sold since 2022, attributing the identified issues to user-configured network settings. Motorola has pledged to collaborate with clients to restore recommended configurations.
This is not an isolated case. In 2015, researchers identified hundreds of publicly accessible ALPR data streams.
Will Freeman previously observed an unusual number of cameras mounted on poles with solar panels in southern U.S. states. In Huntsville, Freeman noted that Flock cameras were strategically placed in a circular pattern at major intersections, creating a surveillance ring tracking vehicles entering and exiting the city center. Soon after, he discovered cameras from other manufacturers, including Motorola and its subsidiary Avigilon, integrated into broader surveillance networks capable of monitoring movements nationwide.
In March 2022, David Zayas, driving a nondescript gray Chevrolet on a highway in Scarsdale, New York, became the subject of police attention despite no apparent traffic violations. The incident stemmed from a new AI-based tool that flagged the vehicle’s behavior as suspicious, underscoring the growing concerns over automated surveillance technologies.
