Researcher Buys Axon Cameras On eBay, Finds They're Still Filled With Recordings

from the not-even-using-'password'-for-the-password dept

Data isn't secure just because nothing happened to it when it was still in your possession. It can still "leak" long after the storage device has gone onto its second life in someone else's hands.

The Fort Huachuca Military Police were just apprised of this truism by Twitter user KF, who had purchased some used Axon body cameras on eBay. The cameras still contained their microSD storage cards. And contained on those storage cards were a bunch of recordings (including audio) that hadn't been wiped by the MPs before the cameras ended up on eBay.

The whole thread is worth a read (here's an unrolled version if you prefer to go somewhere other than Twitter). No one seems to know how the cameras ended up on eBay, but it's pretty amazing they ended up in the secondary market with their recordings still intact.

What's more amazing (but somehow simultaneously less surprising) is that the recordings weren't encrypted or protected by a password. Axon responded to the Arizona Mirror's reporting of this secondary-market breach by saying it was "looking into the matter." It also said it would be putting more effort into telling its law enforcement customers what they should already know.

“We are… reevaluating our processes to better emphasize proper disposal procedures for our customers.”

What's more reassuring is that this data disposal carelessness is no longer as much of an issue for Axon customers. The cameras in KF's hands are first-generation models produced in 2015. Axon's latest version encrypts recordings and, presumably, forces officers to select passwords to ensure this encryption isn't rendered useless by a lack of login protection.

eBay also responded to questions from the Mirror, stating that it forbids the sale of surveillance devices like the ones KF was able to purchase. It also said sellers are responsible for making sure internal storage is wiped before making devices eBay says it does not allow to be sold on the site are made available for sale on the site.

Security matters. But situations that demand the utmost in care are too often handled in ways that an octogenarian using their first computer ever would find amateurish. KF's site contains this amusing/scary security test of police in-car camera systems -- cameras the researchers were able to view live after discovering zero authentication was needed to access this stream. And the system itself was only "protected" by the default login/password, which the researchers found in a PDF copy of the device's manual after a little bit of Googling.

For all the talk from law enforcement officials about the need to redact and/or withhold recordings out of concern for people's privacy, they don't seem to be very concerned that these recordings are ending up in the hands of the public. Nor does there seem to be much concern that recordings might be improperly accessed by other personnel with access to the devices while the cameras were still being used by the Fort Huachuca police. The lack of password protection is just as alarming as the apparent lack of proper disposal procedures. This is consumer-grade carelessness exercised by a taxpayer-funded entity with a whole lot of power and the obligation to be better public servants.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: body cameras, disposal, encryption, evidence, fort huachuca, recordings
Companies: axon, ebay


Reader Comments

Subscribe: RSS

View by: Thread


  1. identicon
    David, 6 Jul 2020 @ 3:08pm

    Re: Re: Probably mischaracterised

    > Either that, or security sensitive devices must be designed in a manner where the data on them, even if not tampered with in any manner, is completely unusable to any outside party.

    Let us know when you solve the halting problem then. (Given a set of inputs if / when will this data be breached?)

    Last time I looked, public key cryptography exists.


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories
.

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.