Millions at risk due to severe security flaw in license plate readers

Cars on the road with blue overlay indicating what data may be contained about the drivers within
(Image credit: Shutterstock)

A curious security researcher who bought a Motorola automated license plate reader was able to discover a concerning security flaw that affects hundreds of live ALPR cameras across the country. Matt Brown, who runs Brown Fine Security, purchased a Motorola ReaperHD ALPR license plate reader surveillance camera off eBay and quickly found that many of the same, live cameras are misconfigured to stream color, infrared black-and-white and car data including license plate numbers to the open internet where they can be accessed by anyone in real time without a username or password.

Brown, who made a series of YouTube videos demonstrating his proof-of-concept tool that exposes these vulnerabilities, initially only reverse engineered his own camera to extract the device’s firmware when he found video streams on the device. He then set out to see if any of the real world devices were available online, and was able to use text from a 404 error page to find the IP addresses of the exposed devices on the public internet. More than 150 devices appear when using a publicly available internet scanning tool.

ALPR cameras are often placed along roads, on the dashboard of police vehicles or even inside of trucks in order to automatically take pictures when they detect a car passing by. The system uses machine learning to extract text from the license plate, which is stored alongside details such as where the image was taken, as well as the time, and the make, model and color of the vehicle. The videos and databases of collected data are then frequently used by police to search for suspects.

Motorola has responded by confirming the exposures and a spokesperson has told media outlets it is working with affected customers to close the open access. A spokesperson explains: “The ReaperHD camera is a legacy device, the sales of which were discontinued in June 2022. Findings in the recent YouTube videos do not pose a risk to customers using their devices in accordance with our recommended configurations. Some customer-modified network configuration potentially exposed certain IP addresses. We are working directly with these customers to restore their system configurations consistent with our recommendations and industry best practices. Our next firmware update will introduce additional security hardening.”

However, this isn't the first instance of this kind of breach: A community called DeFlock, which is an open-source map of ALPRs in the United States, has also found roughly 170 unencrypted ALPRs. The founder of that community even built a script that can take the data, decode it, add timestamped information and dump it onto a spreadsheet in order track a specific car's movements.

In 2015 the Electronic Frontier Foundation and University of Arizona researchers found hundreds of exposed ALPR streams, and in 2019 a hack of an ALPR vendor at the Department of Homeland Security resulted in the license plates of images of travelers being put up for sale on the dark web.

Brown, the security researcher, says that while not all Motorola ALPRs are leaking data or streaming to the open internet, the security flaw is still concerning and not something that is going to be fixed overnight. "You still have a super vulnerable device that if you gain access to their network you can see the data. When you deploy the technology into the field, attacks always get easier, they don't get harder."

More from Tom's Guide

Amber Bouman
Senior Editor Security

Amber Bouman is the senior security editor at Tom's Guide where she writes about antivirus software, home security, identity theft and more. She has long had an interest in personal security, both online and off, and also has an appreciation for martial arts and edged weapons. With over two decades of experience working in tech journalism, Amber has written for a number of publications including PC World, Maximum PC, Tech Hive, and Engadget covering everything from smartphones to smart breast pumps. 

Read more
An Android bot next to an Android TV remote
Millions of Android TVs hijacked in massive botnet — how to see if yours is at risk
Green skull on smartphone screen.
Over 1 million Android devices infected with password-stealing, pre-installed botnet malware — how to stay safe
A Wi-Fi router next to a phone with a lock symbol on the screen
Massive MikroTik router botnet has been spreading malware – here’s how to stay safe
Graphic of fibre optic cables attacking code
An estimated 46,000 VPN servers are vulnerable to being hijacked
DeepSeek logo on smartphone in front of merging US and Chinese flags
DeepSeek’s app contains serious privacy and security vulnerabilities that you should know about
A person using a laptop with a warning message appearing on screen
Millions of email users at risk — passwords could be exposed to hackers, experts warn
Latest in Online Security
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
How to delete TikTok
TikTok has rolled out a vital new security feature — here's how to use it
Latest in News
Samsung Galaxy S25 Ultra vs S25 Plus vs S25
Satellite messaging on Google Pixel 9 and Samsung Galaxy S25 just landed on 3 more carriers
L-R: Claude (Marco Calvani), Danny (Colman Domingo), Kate (Tina Fey) and Jack (Will Forte) have their bags packed for Netflix's "The Four Seasons"
Netflix just teased a new comedy series starring Tina Fey, Steve Carrell and Colman Domingo — and we already have a release date
back of Iris Pixel 9a
The Google Pixel 9a is lacking one of the Pixel 9’s best safety features — here’s what we know
Razer Blade
Nvidia's DLSS 4 demo in a Razer Balde 16 with RTX 5090 gives me hope again for next-gen gaming laptops
Striped lawn
Expert reveals the kitchen waste item that can help you create a green and healthy lawn
Glen Powell and Daisy Edgar-Jones sit on the hood of a truck in "Twisters"
Prime Video top 10 movies — here's the 3 worth watching now