Skip to main content

Part 3 - Facial Recognition and Plate Readers - Easy to Find Because They're Everywhere

What's really concerning is not that we can locate remote surveillance machines with Shodan, or with "Google dorks;" most of the hosts we've come across are not accessible without a password (or exploit, but that's out of my depth and not what we're doing). What's alarming is that our search results reflect the massive spying-infrastructure in the same way every roach you see in your kitchen is an emissary of thousands if not millions more. What we're finding now are outliers, most gear is not indexed by search engines.

ALPR is just the beginning -- since the last post I've found multiple hosts of biometric identification services -- fingerprints and facial recognition.

Something to note here is that the industry-agency approach to this biometric data is not really different from its treatment of license plates -- that is, as "anonymized" metadata (this may or may not be its legal status, but inasmuch as technology is developed for its manner of use, faces are being treated like license plates) .

Why are we able to locate these systems and doesn't this make them insecure?

I should stop here for an interlude/disclaimer: I am not a security expert -- I'm also not an expert at any IT discipline or a programmer, here you'll find my inferences from a process of deduction and some measure of applied experience. Being an autodidact has its limitations, but the proof of the pudding is in the tasting, and, well, I'm saying I'm going to find stuff by doing x and am finding stuff. 

If you're seeking someone to help you stay secure or 'private,' I'm not your man but will send anyone who needs that help to someone I trust, just ask.

I feel pretty comfortable saying that yes, this is insecure, even if the hosts we've found aren't especially vulnerable to having their security measures circumvented, because security on the Internet, especially the security of Things on the Internet Thereof, is heavily dependent on obscurity. When those things are accessible on the Internet of TCP/IP -- this is the tier of HTTPs and IP addresses that most of us are pretty used to dealing with -- it's like the mole's head has popped out, because TCP/IP was designed for transparency, between machines, anyway. 

Really at issue are the stakes involved in our telematic extensions; is protecting biometric data more important than it being accessible from anywhere, anytime?

I was excited to recently learn I could search the html field on Shodan. I have been searching Shodan some for a long time, and for similar purposes. But it was more complicated and more of a fishing expedition - the approach of adhering to the strict rules for asking questions along with a certain amount of fuzz that I described in my first post was much more difficult, because I was searching by things like ports, protocols, and software version, a language in which I am less fluent and has more rigidity.

We're able to find these ALPR servers, etc, because they are labeled for us, so to speak. Shodan doesn't obey the rules that Googlebot obeys (sometimes obeys), because it is not looking for the same things, or constructed the same way. Googlebot is a machine mind, and you use a sort of machine language -- "quoting exact text," Boolean operators, (nesting terms OR "nesting terms") -- to locate human informational content.

Shodan has a robot heart and robot eyes, a database of connected machines indexed by the machine language on their public page 1 -- with Google you're looking for what people see, with Shodan, what computers "see."

Authorized users need to be able to recognize a log-in page, and there are an absurdly high number of authorized users regularly accessing an also absurdly large number of duplicative surveillance databases, both government and private. This compounding insecurity is a market effect.

Chicago police mobile access portal.

We've also learned something new about the state-of-the-art of ALPR systems, I dare say. For a long time ALPR systems had an FTP service almost as a rule, running on PIPS/BOSS (FTP is also used in other ALPR models, but PIPS was essentially the first, long-owned by Federal Signal) 

This was a feature of the need to quickly upload and offload a lot of data in the form of plate images. The images captured live are analyzed by software (mostly this is referred to as OCR, optical character recognition), and then offloaded periodically, with delimited text files retained on the server, the text of the license plates which the software extracted from the pictures. These lists live together on the server with others, the hotlists, or watchlists, and are cross-referenced to perform 'alerts'  (PIPS is now owned by 3M, which does what they call in the industry a super lot of surveillance).

In common across search terms for ALPR systems on Shodan: many are hosted on cloud services, an overwhelmingly high number by org:"Microsoft Azure" (in Shodan search terms). Microsoft in particular and cloud services generally, Amazon, others, are clearly industry dominant now, and some of you might have known that, but I didn't. When you do a lot of searching by "network forensics," in a manner of speaking, it makes for sometimes funny coincidences, because things like IP address are often common between entirely unrelated/unaffiliated domain names.

That brings us back nicely to our first group of hosts and the "AutoVu Occupancy Study." The location of the servers is probably only indicative of the hosting service -- this does present a pretty plainly cozy relationship between Microsoft and Genetec, which isn’t a secret. Dallas and Boydten are both home to data centers, there's a Microsoft Technology Center in Dallas.

ForensicLogic, which noted on the last post that the ALPR scan data was open source, also says the host we've been looking at is not a sales demo, but the "default demo data" for its open source github project. 

This is the landing page:

It just seems to me to have a theme.

I did find it interesting that the project has a repository for an Azure template.

I'd expect to see more of this stuff on Shodan, a lot more, because access to these databases has become not just ubiquitous, it is pervasive, as in many jurisdictions use smartphone sized devices or smartphones to perform facial recognition searches on subjects during routine traffic stops. When they do this, some will look at webpages with a brand and version and probably some description in order to log-in -- which would be read by Shodan as text between <html> tags (if I close this here I'm afraid it will format the Blogger post).

Below are the hosts I found on Shodan grouped by search term, I have not looked into any on list yet, these are hosts that seemed of likely interest just from the results page -- the subject is just ALPR. 

I'm not sure if I'll dissect these for my next post or not, I might just write a poem or something.