Blockchain Consultants

Blockchain Transformations Done Here

law enforcement

Law Decoded: Police and thieves on their screens, Oct 2–9

by

Every Friday, Law Decoded delivers analysis on the week’s critical stories in the realms of policy, regulation and law.

Editor’s note

Historians typically date the birth of international policing as we know it today to the 1800s, a response to the explosion in nationalist movements and non-governmental political radicalism in Europe. Just as new linking technologies like the telegraph and the steam engine aided and abetted new networks of political deplorables and any number of Sherlock Holmes plots, the explosion of communications tech of the last quarter-century has brought about new forms of crime. 

Which is, y’know, something everyone passively knows. In crypto, association with crime is a familiar reputational issue that is present but certainly not unique. New technology giveth and taketh away. Law enforcement’s interest in controlling new networks also grows. Paranational organizations like drug cartels and terrorist cells come to mind.

This week saw the U.S. Department of Justice press criminal charges against ISIS agents behind American deaths including James Foley’s, a move that expands their power to prosecute foreign agents as criminals under U.S. law. The FBI also busted up a home-grown far-right conspiracy to kidnap the governor of my home state of Michigan. In crypto, several jurisdictions have laid claim to new authority, with the DoJ in particular making a number of moves to expand its jurisdiction.

DoJ vs. everybody

The Justice Department’s new “Cryptocurrency Enforcement Framework” laid claim to a whole host of powers over crypto businesses that had previously been in limbo. Most notable is the generosity of what the DoJ is calling its own jurisdiction — basically anything that touches a U.S. server.

The new framework heralds a new era in the department’s crypto authority, but it’s just the clearest summary of a growing body of precedent that U.S. regulators from the SEC to the IRS have been building out for years.

The DoJ’s criminal charges against Seychelles-registered BitMEX’s leadership last week in some ways telegraphed their particular interest in combatting crime in crypto wherever in the world it may be. Most earlier involvement in crypto-linked prosecutions abroad had been focused on networks the DoJ saw as being primarily designed to finance terrorism or funnel money to sanctioned individuals. While the DoJ accused BitMEX of being a means for such action, the allegations against the leadership are not really accusing them of ideological or political illegality, but rather old-fashioned greed.

Distressing for the crypto community is, as always, the association with criminal activity. The DoJ’s report pays lip service to blockchain technology’s ability to revolutionize payments, finance, international trade, shipping, trust, consensus et al — I assume that this readership is familiar with the myriad use cases — but the report pivots compulsively to crime. From the DoJ’s side of things, that is their trade, so it makes sense, but it also adds to the unfair stigma against a technology.

Another cause for concern is that tech-savvy people in the U.S. can get around the barriers by really any crypto company, given enough time and potential profit. So as with the general trends of the last year, U.S. authorities really do seem to be building out the legal framework to give themselves jurisdiction over crypto basically anywhere. World Police indeed.

UK shuts door on whole genre of crypto investment

The United Kingdom’s Financial Conduct Authority nixed trading of crypto-based derivatives — including futures, options and swaps — for all retail investors starting in January.

While the FCA may not be as globally hawkish on crypto as its U.S. analogues, London remains Europe’s financial center. Much like Brexit itself, the predicted exodus from London has seen delays that seem to mock all bold predictions.

With its focus on retail investors, however, the FCA has obviously designed its new ban to be more of a protective maneuver for regular Britons rather than a handicap on the reigning heavyweight champs of the London Stock Exchange.

Nonetheless, as the UK’s position within both Europe and the global economy is vulnerable, implementing a stringent ban on a new asset class seems like yet another way of recusing itself from the financial future. As mentioned earlier, determined UK crypto investors will almost certainly be able to get around the new ban to access offshore exchanges with less legal accountability to the UK and more extravagant and risky leveraged offerings. 

But maybe a somewhat built-in assumption is that, while the technological implementation of any ban is going to be slow and imperfect, a retail investor capable of working around it is not exactly the person the FCA is most worried about protecting.

DoJ vs. the elusive Mr. McAfee

After decades of intercontinental outrageousness, John McAfee was arrested in Spain for tax evasion. He also faces a suit from the SEC for fraudulent ICO promotion.

McAfee first found success in the 80s at the head of the firm that produces the antivirus software that still bears his name. He left the company in the 90s and has been bouncing around the world more or less ever since, racking up guns, substance addictions, and allegations of sexual assault and murder. Also not paying his taxes, allegedly. He was posted up in Cuba out of the reach of U.S. authorities for a while.

Despite his early successes in technology, McAfee has for decades built a personal brand on foundations of infamy. The SEC’s allegations suggest that he managed to translate that megaphone into millions of dollars by plugging into the curious hypedraulic mechanics of the ICO boom. Earlier this year, he tried to launch a privacy token that he admitted was largely taken from another project. McAfee is hardly what you would call a builder. While everyone is innocent until proven guilty, McAfee’s absence from the crypto scene would be a blessing for the industry’s reputation.

Further reads

The Bank for International Settlements put out a new and extensive report on Central Bank Digital Currencies and the associated risks and prospects.

Tax attorney Jason Freeman runs down the latest memorandum from the IRS on how to get your taxes on virtual assets in order.

Writing for the Electronic Frontier Foundation, Rainey Reitman talks problems with the extradition hearings for Wikileaks founder Julian Assange.

Law Decoded: Police and thieves on their screens, Oct 2–9

Source

Indian Police Investigate Crypto Exchange Accused of Running Mining Scam

by

Cryptocurrency fraud is currently running rampant across several countries. India is one of the countries with the most common of such criminal activities, and law enforcement is now investigating yet another case.

Branching Out Into Fraud

Earlier this week, local news source Millennium Post reported that the Economic Offence Wing of the Delhi Police had launched a full-scale probe into Pluto Exchange, a local digital asset exchange platform, and its operators. Per the report, the investigation came after 43 investors filed a complaint against the firm.

The complaint alleged that Pluto Exchange’s founder, Bharat Verma, and several other company officials, had developed a fraudulent scheme that lured investors. The scheme was purportedly a trading and mining operation called “F2poolminin.” It ran as a subsidiary of the exchange.

One of the plaintiffs explained that he met the exchange operators first at the Connaught Place, a business and technology hub in New Delhi. They told him that he could invest in the scheme and make between 20 to 30 percent monthly. He added that they also offered him some extra commissions if he managed to bring more people into the fold.

The plaintiff eventually invested $6,500 with the scheme. When he didn’t get any returns for a while, he confronted Verma, who told him that the company had been unable to pay because some of its bank accounts had been frozen, and the Bitcoin price had dropped significantly.

Per the report, Pluto Exchange had left India and is now based in Dubai. However, they’re still running the scam and have ow collected about $6.8 million from investors.

India’s Extensive Crypto Crime Problem

The Pluto Exchange saga is currently the latest in a long line of fraudulent crypto operations seeking life in India. For now, perhaps the most popular scam form has been call center scams, which are targeting some high-income residents.

India TV News reported last month that cybercriminals are targeting these victims through messages on social media, encouraging them to buy Bitcoin through a mobile app. The app, which purportedly functions as a crypto exchange, is merely a sham. Once a user deposits Bitcoin into the exchange, the scammers block the person and disappear.

A witness told the news source that an unidentified victim lost $50,000 to the scheme, while another unnamed businessman lost at least $3 million.

The scammers have also targeted some top government officials. Earlier this month, India Today reported that hackers managed to break into the Twitter account of Prime Minister Narendra Modi. The hackers, known under the collective name “John Wick,” reportedly asked Modi’s followers to donate to “PM National Relief Fund for Covid-19,” a fake coronavirus relief fund.

Blockchain data shows that no funds were sent to the site, leading to the belief that the massive Twitter hack of July had made people much wider. However, this growth in fraudulent activities is alarming.

Sidharth Sogani, the founder and chief executive of blockchain and cryptocurrency research company Crebaco, told Cointelegraph last month that Indian investors lost about $500 million to scammers both home and abroad between 2017 and 2019. hings also can get much worse, as cryptocurrencies are growing in popularity across the country.

Indian Police Investigate Crypto Exchange Accused of Running Mining Scam

Source

Crooked police chief sentenced to 8 years for dark web shenanigans

by

Former police chief Yuri Zaitsev was recently sentenced to eight years in prison for acting as a bounty hunter for a dark web marketplace. In December 2018, Zaitsev was working as the leader of his unit within the Main Directorate for Drugs Control of the Republic of Khakassia — a law enforcement division which is analogous to the U.S. Drug Enforcement Administration, or DEA. At that time, he initiated contact with the operator of a dark net marketplace, offering to help hunt down a man who had appropriated drugs that were entrusted to him for placement in dead drops. 

In Russia, unlike the U.S., most dark web entrepreneurs do not trust the post office for shipments. The prevailing mode of dissemination of these illegal products is instead completed through dead drops — a method of delivery by which two parties can pass items or information back and forth without ever needing to meet in person.

According to the Main Investigation Department, the cop had received the equivalent of 52,000 roubles in Bitcoin (BTC) for his services. At the time, this was equivalent to approximately, $750 or 0.2 BTC. He was found guilty on charges of bribery and the disclosure of classified information.

According to Zaitsev’s wife, his prosecution was punishment for investigating senior officials within his agency. He was subsequently fired and prosecuted. From October-November 2019, Zaitsev uploaded a number of videos to YouTube in which he allegedly exposed corruption among senior officials in his Directorate. This appears to be what led to criminal charges against him for disclosure of classified information. In November 2019, Zaitsev uploaded an appeal to president Putin on YouTube in which he pleaded his case, but to no avail.

During the unrelated Silk Road investigation, numerous law enforcement officials fell afoul to what they perceived as easy, untraceable Bitcoin. DEA Special Agent Carl Force managed to elicit 1,200 Bitcoin from Ross Ulbricht. He obtained the funds using an elaborate scheme in which he had created multiple fake personas ranging from a major South American drug trafficker to a corrupt law enforcement official. One of the tasks assigned to him by Ulbricht was hunting down and murdering a former associate who allegedly had stolen Bitcoin from him. The actual thief was another law enforcement official involved in the investigation. The murder was staged by Force, but never materialized in actuality.

The events that took place in Khakasia a few years after the Silk Road saga seem in some ways like a cheap local knockoff of an expensive HBO show. As Marx once said, history repeats itself “the first time as tragedy, the second as farce”.

Crooked police chief sentenced to 8 years for dark web shenanigans

Source

Justice Department charges Deep Dot Web administrators with money laundering

by

U.S. prosecutors have formally brought charges against the alleged co-owners and administrators of Deep Dot Web, who were arrested Tuesday.

Tal Prihar, 37, and Michael Phan, 34 — both Israeli citizens — were charged with one count of conspiracy to commit money laundering, according to a newly unsealed indictment.

Prihar, who resided in Brazil, was arrested by French police in Paris on Monday, while Phan was arrested by Israeli police in a simultaneous raid.

The two are accused of making millions of dollars in commission from Deep Dot Web, a website featuring news, reviews and information about dark web sites and marketplaces. Prosecutors said the administrators made their commission by linking to marketplaces on the dark web — only accessible through Tor, an encrypted anonymity network.

Many of the dark web marketplaces sold drugs, weapons and stolen data, which hackers could use to break into online accounts.

A staffer at Deep Dot Web said in a Medium post following the arrests that Deep Dot Web would generate a slice of the revenue from purchases made on dark web marketplaces, said to be as much as 4%. Brazil’s federal police said in a statement the site made millions in dollars in cryptocurrency from referral sales from more than 15,000 dark web users.

Following the arrests, the FBI seized Deep Dot Web’s website.

“It was truly a 50:50 partnership between the two defendants,” said Scott Brady, U.S. attorney for Western Philadelphia, in a press conference in Pittsburgh on Wednesday announcing the charges.

According to the district attorney, more than 23% of all transactions made on AlphaBay, a dark web marketplace taken down by authorities in 2017, were associated with a referral link from Deep Dot Web. The indictment also said Deep Dot Web referred more than 198,000 users to Hansa, another defunct market, accounting for nearly half of the site’s users, of which Deep Dot Web “received a commission on all of those users’ purchases.”

The indictment said Prihar and Phan made about 8,155 bitcoins in total — almost half of which was collected from AlphaBay. Prosecutors said at its peak, the bitcoins were worth more than $15.4 million.

“This is the single most significant law enforcement disruption of the dark net to date,” said Brady.

FBI has seized Deep Dot Web and arrested its administrators

Read more: https://techcrunch.com/2019/05/08/doj-deep-dot-web-indictment/

Feds Dismantled the Dark-Web Drug Tradebut It’s Already Rebuilding

by

On the dark-web drug market Empire this week, business proceeds as usual. "Satisfied customer, will be back," writes one user on the product page of a meth dealer with the handle shardyshardface. "Excellent," reads a plaudit posted by a buyer of the opiate oxycodone. "Bravo," says another for a $5 sample of fentanyl, one of 18 reviews posted on the product's profile page in the last week. In all, Empire lists over 18,000 narcotic offerings, including hundreds for oxycodone alone.

Judging by that buzzing trade, there's little hint that just the week before, global law enforcement announced the takedowns of two of the world's largest dark-web drug sites, known as Wall Street Market and Valhalla. Or that the most popular market, called Dream, had taken itself offline at the end of last month, perhaps sensing law enforcement closing in. Or that a multiagency US law enforcement task force devoted to stemming opioid sales on the dark web arrested more than 60 people in a major operation the month before.

On Wednesday, the FBI and Europol announced their latest win: The takedown of dark-web news and information site DeepDotWeb, which had quietly made millions of dollars from offering promotional links to black market sites in a kind of underground affiliate marketing scheme. "We think it's going to have a huge impact," FBI special agent Maggie Blanton, who leads the bureau's Hi-Tech Organized Crime Unit, told WIRED. "We viewed DeepDotWeb as a gateway to the dark web."

A dark web market calling itself Nightmare has 28,000 narcotics listings and remains online after law enforcement's recent crackdown.

Taken together, those operations represent the most far-reaching collection of law enforcement actions against the dark web's economy in at least two years. "You’re seeing the evolution of a coordinated law enforcement effort," the director of Europol's European Cybercrime Centre said. "It’s not whack-a-mole anymore."

But despite those wins, a years-long war of attrition seems to be exactly the pattern that the dark web's booms and busts now follow, argues Carnegie Mellon computer scientist Nicolas Christin, a longtime dark web researcher. In an economy where the demand—drug-addicted users—remains constant or growing, that's only to be expected.

"History has taught us that this ecosystem is very, very resilient," Christin says. "It's part of a cycle, and we’re in the chaotic part of the cycle. We’ll have to see how it recovers. But if I were a betting person I would put more money on it recovering than on it dramatically changing."

Lather, Raid, Repeat

The cycle Christin describes—law enforcement takedowns followed by a slow but robust recovery—has played out on the dark web again and again, repeating roughly every year or two. After the late 2013 takedown of the Silk Road, the first real dark-web drug market, more than a dozen replacements rose up to fill the demand for anonymous online narcotics sales. A massive crackdown called Operation Onymous followed in late 2014, seizing a broad swath of the dark web and arresting 17 people by exploiting a vulnerability in the anonymity software Tor, which serves as the dark web's fundamental cloaking tool.

Yet by 2017, another site, AlphaBay, rose up to become far bigger than the Silk Road had ever been. In a well-coordinated, two-pronged attack, the FBI took down Alphabay in July of that year while Dutch police hijacked the second-largest dark-web market, Hansa. That maneuver drove Alphabay's refugees into a trap: The Dutch police had rewritten parts of Hansa's code to de-anonymize users, grab their passwords, and even install beacons on their computers. The double takedown, called Operation Bayonet, was intended not only to ensnare dark-web buyers and sellers but to scare them, too, as the Dutch police's National High Tech Crime Unit told WIRED at the time, creating a deterrent to keep users from migrating to the next dark-web drug bazaar.

A few of the hundreds of listings for highly dangerous fentanyl and carfentanil opiods on another market, called Empire, that escaped law enforcement's crackdown.

The FBI's Blanton told WIRED that no dark-web market has reached AlphaBay's scope since. But Christin counters that, by early this year, he had observed that Dream Market had roughly matched AlphaBay's previous size. (He declined to share detailed numbers, which he says are part of a still-unpublished study.) "What happened in 2017 was very unique, that one-two punch," Christin says. "But that doesn’t seem to have dented the ecosystem in a major way."

The Law Wins a Round

The last two months of arrests have at least sent the dark web into a temporary state of turmoil. In March, apparently enabled in part by information gathered in the Hansa sting, the US Department of Justice announced it had carried out what it calls Operation SaboTor. It arrested 61 people, and seized more than 650 pounds of illegal drugs, 51 firearms, and nearly $10 million in cash, gold, and cryptocurrency. SaboTor also underscored an aggressive new approach to law enforcement's dark-web operations: The agents from the Joint Criminal Opioid Darknet Enforcement team that carried it out—from the FBI, Homeland Security Investigations, Drug Enforcement Administration, Postal Service, Customs and Border Protection, and Department of Defense—now all sit together in one room of the FBI's Washington headquarters. They've been dedicated full-time to following the trail of dark-web suspects, from tracing their physical package deliveries to following the trail of payments on Bitcoin's blockchain.

Following those J-CODE arrests, Dream Market announced that new management would take over at the end of April. Instead, it went offline altogether. Then came the seizure of Valhalla and Wall Street Market last week. The latter's takedown began, the head of the Dutch federal police's darknet-focused team Nan van de Coevering tells WIRED, through a tip that led them to part of Wall Street Market's infrastructure hosted in the Netherlands. From there the three alleged administrators were further exposed through a combination of security mistakes: A faulty VPN revealed one of the men's IP address when he connected to its backend infrastructure, while another administrator had received bitcoins from the market with the same wallet he'd used to pay for a videogame account. A rogue staffer who had blackmailed the site's users also leaked the site's backend credentials, which may have aided in law enforcement's investigation.

But don't expect the dark web's downtime to last, says Roman Sannikov, an analyst at security firm Recorded Future. "My guess would be the lower-tier markets just grow in prominence again," he says. "Probably a couple of markets will step up."

"A Bottomless Pit"

By some measures, they already have. In addition to Empire Market's more than 18,000 drug listings, another site called Nightmare Market now lists 28,000 drug products, along with the dark web's usual assortment of stolen credit card numbers, counterfeits, and hacking tools. A new, Reddit-style forum site called Dread, hosted on a Tor hidden service, has already replaced the seized DeepDotWeb as a community hub, where users discuss which site to use when one is taken down by police or turns out to be run by scammers.

On Dread, the reactions to the recent law enforcement activity were a mix of dismay and defiance. "Are there any trustworthy markets left?" one user wrote, complaining that they used the dark web markets as a source for anti-seizure drug Lyrica and now had no good source. "This is so fucked up man, we have the right to do whatever we want to our bodies."

"Waste your resources on seizing petty websites because they know the use of darknet services is ever growing," another user wrote. "The war on drugs is a complete failure, a bottomless money pit."

But both the FBI and Europol officials who spoke to WIRED argued that while their battles against dark-web drug sites are far from over, that fight remains necessary—even if only to limit the dar- web markets' growth and make it even incrementally harder to buy dangerous drugs like fentanyl online. "Any small win is a victory," the FBI's Blanton says. "We care about stopping even one more person from overdosing."

"Some people you’re not going to deter from going to these markets. But there are a large number of people who would never considering buying drugs on a street corner or from a shady dealer but who will use the perceived anonymity of the internet to do this," Europol's Steven Wilson says. "If we can dissuade those people, how many lives to do we end up saving?"

Read more: https://www.wired.com/story/dark-web-drug-takedowns-deepdotweb-rebound/

Police Bodycams Can Be Hacked to Doctor Footage

by

As they proliferate, police body cameras have courted controversy because of the contentious nature of the footage they capture and questions about how accessible those recordings should be.

But when it comes to the devices themselves, the most crucial function they need to perform—beyond recording footage in the first place—is protecting the integrity of that footage so it can be trusted as a record of events. At the DefCon security conference in Las Vegas on Saturday, though, one researcher will present findings that many body cameras on the market today are vulnerable to remote digital attacks, including some that could result in the manipulation of footage.

Josh Mitchell, a consultant at the security firm Nuix, analyzed five body camera models from five different companies: Vievu, Patrol Eyes, Fire Cam, Digital Ally, and CeeSc. The companies all market their devices to law enforcement groups around the US. Mitchell's presentation does not include market leader Axon—although the company did acquire Vievu in May.

In all but the Digital Ally device, the vulnerabilities would allow an attacker to download footage off a camera, edit things out or potentially make more intricate modifications, and then re-upload it, leaving no indication of the change. Or an attacker could simply delete footage they don't want law enforcement to have.

'I can connect to the cameras, log in, view media, modify media, make changes to the file structures. Those are big issues.'

Josh Mitchell, Nuix

Mitchell found that all of the devices he tested had security issues that could allow an attacker to track their location or manipulate the software they run. He also found problems with the ecosystem of mobile apps, desktop software, and cloud platforms that these cameras interact with. Additionally, Mitchell says that some of the more sophisticated models, which contain radios for Bluetooth or cellular data connectivity, also have vulnerabilities that can be exploited to remotely stream live footage off the cameras, or to modify, add, and delete the footage stored on the devices.

"With some of these vulnerabilities—it’s just appalling," Mitchell says. "I approached this research by trying to find industry trends that are prevalent across multiple devices. There are issues for each of the five devices I looked at that are specific to that device, but there are also trends in general across all of them. They are missing many modern mitigations and defenses."

Four of the five body cameras Mitchell tested have a Wi-Fi radio—the CeeSc WV-8 does not—and all of those broadcast identifying information about the device. Sensitive gadgets like smartphones have started randomizing these IDs, known as MAC addresses, to mask them. But the body cameras Mitchell looked at use predictable formats that give away too much information, like make and model plus a code for each device.

That means attacker could use a long range antenna to track cops. And as Mitchell points out, body cameras are often only activated when police carry out certain operations, or anticipate particular interactions. Noticing that 10 body cameras all activated at once, in a localized area, could foreshadow a raid, for instance. Mitchell fears that the exposure could pose a safety risk to law enforcement.

Mitchell says that all of the devices also have shortcomings in validating the code they run and the data they store. He found that none of the models he tested uses cryptographic signing to confirm the integrity of firmware updates, a common Internet of Things lapse. Without it, an attacker might develop malicious software that could be delivered to different devices in different ways based on their other vulnerabilities—through exposed desktop software or remote programming, for example. Once introduced, the devices will run any firmware without question.

More specifically problematic: The bodycams don't have a cryptographic mechanism to confirm the validity of the video files they record either. As a result, when the devices sync with a cloud server or station PC, there's no way to guarantee that the footage coming off the camera is intact. "I haven’t seen a single video file that’s digitally signed," Mitchell says.

In addition to connecting to Wi-Fi networks, higher-end body cameras like the Vievu LE-5 Lite and the Patrol Eyes SC-DV10 also have the ability to generate a Wi-Fi access point of their own. That allows other devices to connect to the camera's private network, but Mitchell found that these features had inadequate or missing authentication in the models he tested, so anyone could connect to a camera from a regular consumer device and access its data.

Mitchell says that the cameras all had some features that were missing key access controls, or relied on default credentials that were easy to determine. A proactive police department could update the defaults to something stronger, but even those could be undermined on certain devices. Many of the desktop platforms and mobile apps used with the cameras also had issues with access control.

"These videos can be as powerful as something like DNA evidence, but if they’re not properly protected there’s the potential that the footage could be modified or replaced," Mitchell says. "I can connect to the cameras, log in, view media, modify media, make changes to the file structures. Those are big issues."

'The fact that some law enforcement evidence-collecting devices can be hacked evokes some true nightmare scenarios.'

Jay Stanley, ACLU

Mitchell even realized that because he can remotely access device storage on models like the Fire Cam OnCall, an attacker could potentially plant malware on some of the cameras. Then, when the camera connects to a PC for syncing, it could deliver all sorts of malicious code: a Windows exploit that could ultimately allow an attacker to gain remote access to the police network, ransomware to spread across the network and lock everything down, a worm that infiltrates the department's evidence servers and deletes everything, or even cryptojacking software to mine cryptocurrency using police computing resources. Even a body camera with no Wi-Fi connection, like the CeeSc, can be compromised if a hacker gets physical access. "You know not to trust thumb drives, but these things have the same ability," Mitchell says.

"The fact that some law enforcement evidence-collecting devices can be hacked evokes some true nightmare scenarios," says Jay Stanley, senior policy analyst at the American Civil Liberties Union. "If there aren't reliable ways of ensuring that such equipment meets strong security standards, then something is deeply broken. No police equipment should be deployed that doesn't meet such standards."

Mitchell disclosed his findings to the five vendors and has been working with them to fix the issues. Axon says it is in the process of patching the Vievu vulnerabilities. "We are pushing a fix out to all Vievu customers early next week to resolve the issue that impacts users who have not reset their default Wi-Fi password," Axon spokesperson Steve Tuttle told WIRED. "As part of our regular release cycle, we are pushing several security updates next quarter, which include items identified by the security researcher. We have invested heavily in a dedicated information security team that works to ensure all Axon products are designed and built with security in mind."

A Patrol Eyes spokesperson told WIRED that the company is aware of Mitchell's findings and is evaluating them. Fire Cam president Rob Schield says the company discontinued the OnCall device two years ago and no longer supports it. Third parties continue to sell it, though. CeeSc, which is owned by Chinese manufacturer Advanced Plus Group, did not return WIRED's requests for comment. Digital Ally also did not respond to inquiries.

Mitchell hopes that the companies fix the bugs he found, but his larger goal is to call attention to the shortcomings of a whole class of device—one that happens to play a vital role in public safety and social justice. "It's a complex ecosystem and there are a lot of devices out there with a lot of problems," Mitchell says. "These are full-feature computers walking around on your chest, and they have all of the issues that go along with that."

More Great WIRED Stories

Related Video

Security

What is Ransomware and How Do You Deal With It?

Ransomware. It's malware but worse. It takes the contents of your device hostage and demands Bitcoin as a, you guessed it, ransom. Here's how to avoid it and what to do if your laptop gets locked.

Read more: https://www.wired.com/story/police-body-camera-vulnerabilities/