For nearly as long as you’ve been behind the wheel, government agencies and police departments utilize cameras and software to be able to read and interpret license plates. These systems are especially popular on toll roads and bridges to make sure you’re paying Big Brother.

Matt Brown, the founder of Brown Fine Security, is a whizz when it comes to security. He uncovers a critical weakness in the Motorola Reaper HD ALPR, a widely used license plate-reading camera available on eBay.

However, he became quickly concerned with how easy it was for him to breach the camera’s “security” system.

“My initial videos were showing that if you’re on the same network, you can access the video stream without authentication,” Brown told 404 Media. “But then I asked the question: What if somebody misconfigured this and instead of it being on a private network, some of these found their way onto the public internet?”

Brown was right – live feeds are easily accessible

Not only was he able to find live feeds from several cameras across the nation on the open internet, but he didn’t need a password or login to access them, either. The creep factor deepened as anyone could easily access the collected data.

Brown found nearly 200 live streams from the Motorola cameras, making it easy for people to track the movements of a specific car.

“Let’s say 10 of them are in a city at strategic locations. If you connect to all 10 of them, you’d be able to track regular movements of people,” he said.

Will Freeman, the creator of DeFlock, an open-source map of APLRs in the country, points to the evidence: even the police fail to encrypt your data.

“I’ve always thought these things were concerning, but this just goes to show that law enforcement agencies and the companies that provide ALPRs are no different than any other data company and can’t be trusted with this information,” Freeman told the outlet. “So when a police department says there’s nothing to worry about unless you’re a criminal, there definitely is. Here’s evidence of a ton of cameras operated by law enforcement freely streaming sensitive data they’re collecting on us. My hometown is mostly Motorola [ALPRs], so someone could simply write a script that maps vehicles to times and precise locations.”

Motorola claims it’s working on a solution

Motorola responded to the breach by announcing that a software update was underway. The camera is old, they said, so there was initially little support for it.

“Motorola Solutions designs, develops and deploys our products to prioritize data security and protect the confidentiality, integrity and availability of data,” wrote the spokesperson. “The ReaperHD camera is a legacy device, sales of which were discontinued in June 2022. Findings in the recent YouTube videos do not pose a risk to customers using their devices in accordance with our recommended configurations.

“Some customer-modified network configurations potentially exposed certain IP addresses. We are working directly with these customers to restore their system configurations consistent with our recommendations and industry best practices. Our next firmware update will introduce additional security hardening.”