Police Wireless Surveillance Networks Easy to Hack

LAS VEGAS — Municipal wireless networks used by American police forces to link surveillance cameras and public loudspeakers may be easily hacked into, two researchers said at the DEF CON 22 security conference here yesterday (Aug. 8).

Dustin Hoffman and Thomas Kinsey of tech-support firm Exigent Systems related how the police wireless mesh network in a small California city had no security and could be accessed by anyone, raising the possibility that pranksters or criminals could use the system to their advantage, even by injecting bogus video feeds.

"We could do all sorts of tomfoolery — hey, let's have Godzilla walk down the street," Hoffman said. "Or, we could do the opposite and send police resources elsewhere."

MORE: 12 Mobile Privacy and Security Apps

The network had been set up by a contracting company that set up similar networks in more than a dozen cities in California and Washington state, including Santa Monica and Seattle.

Casting a wide net

Mesh networks use Wi-Fi, but each device connects directly to other devices rather than to a single central node. Signals hop from one device to another, and resources such as Internet access are shared, so a network can range over several square miles instead of just a few hundred feet. (You can set up a home mesh network using the "Ad Hoc" or "Wi-Fi Direct" option on smartphones and laptops.)

Cities and towns across the United States have been installing such systems with post-9/11 Homeland Security grants, using them to offset dwindling personnel budgets by extending police presence to areas where officers can't always be present, such as parks, business districts and other areas with high pedestrian and vehicle traffic.

To those cities, the mesh-network cameras and speakers are a "force multiplier" that allows a single officer at headquarters to monitor several areas at once, much as a security guard monitors a large building.

Kinsey related how he was goofing off with friends in the city in question one night several years ago and climbed on top of a public fountain for laughs.

"I suddenly hear a voice saying, 'This is the police. Please get off the fountain,'" Kinsey said, adding that the voice sounded like "he'd said it a thousand times before."

Gaps in the mesh

Intrigued by the cameras and speakers — and the open Wi-Fi networks that bore names such as "Police Department" — that had begun to appear around the city, Kinsey and Hoffman decided to investigate. To their delight, they found diagrams mapping the mesh network and its functions, including cameras and antennae, on the municipal website.

To their dismay, they found that the network had almost no security. Wi-Fi signals were completely unencrypted ("until three days ago," Hoffman and Kinsey noted) and names of equipment makers were printed on network boxes, saving time for potential attackers looking for known vulnerabilities.

The network infrastructure named each node with one of 256 possible numbers, yet was designed to be flexible and dynamic, creating an opportunity for anyone to insert a malicious node posing as a regular one.

Because the nodes' Wi-Fi antennae were directional, pointed straight at one another rather than broadcasting signals in all directions, city officials may have thought that afforded some layer of protection. But even directional antennae bleed in other directions, the researchers noted.

"Wireless always gets into places you didn't plan on," Hoffman said.

Poking holes in the fabric

Even with the newly implemented wireless encryption, which uses the weak WEP protocol, there are many ways an attacker could compromise the city's network, the researchers explained.

In addition to inserting bogus video feeds, which might include an "Ocean's 11"-style "all is well" loop to disguise criminal activity, a malicious actor could render the system unusable by flooding the network with bogus traffic or jamming the wireless transmitters in part or all of the network.

If the city's computer networks are like those of many other small and medium-sized organizations, it might not properly isolate one network from another. It could be that an attacker might find a way from the wireless mesh network into the 911 dispatch system, the municipal finance system or even the city jail.

The city managers need to mitigate the vulnerablities by implementing more secure practices, Hoffman and Kinsey noted. They admitted that last week's move to WEP encryption was a good, if half-hearted, first step, even if it ruined their chances of demonstrating of how easy it was for civilians to access the police mesh network.

"It's not that it's not possible," Hoffman said. "It's just that now it's illegal."

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.