Digital License Plates, Encrypted Messaging, Drone Panic, State of the Surveillance State & More

Vol. 6, Issue 1

Jan 06, 2025

A photo of an NYPD surveillance camera on a light pole and a CVS surveillance camera on the corner of a building. — Public & Private Surveillance Collaboration by Jerome D. Greco is licensed under CC BY 4.0

January 6, 2025

Welcome to Decrypting a Defense, the monthly newsletter of the Legal Aid Society’s Digital Forensics Unit. This month, Gregory Herrera discusses hacking digital license plates. Joel Schmidt explains the federal government’s change of opinion on end-to-end encrypted messaging. Diane Akerman examines the recent drone panic. Finally, Jerome Greco gives the State of the Surveillance State Address.

The Digital Forensics Unit of The Legal Aid Society was created in 2013 in recognition of the growing use of digital evidence in the criminal legal system. Consisting of attorneys and forensic analysts, the Unit provides support and analysis to the Criminal Defense, Juvenile Rights, and Civil Practices of The Legal Aid Society.

In the News

A photo of Reviver digital license plate for California. — Photo by Clayton Cadinalli on Unsplash

The Fast and The Hackable: Digital License Plates Edition

Gregory Herrera, Digital Forensics Staff Attorney

As cashless toll systems have been implemented throughout the country, drivers have come up with numerous ways to avoid paying. There’s covering your license plate with camera-proof screens and sprays, using tape or stickers to change the letter and numbers, scraping off letters and numbers, pasting on dead leaves to obscure the plates, or using temporary paper tags (mostly out of state and often or expired). Some drivers go as far as to install license plate flippers, which move the plates out of view as cars approach the toll cameras and then flip back them to their normal position.

Here comes a new challenger: the hackable digital license plate.

Josep Rodriguez, a researcher with the IOActive security firm, revealed a technique to jailbreak digital license plates sold by Reviver in a demonstration last month to WIRED. The jailbreak involves connecting a cable to the internal connectors and rewriting the firmware in a few minutes. Once the jailbreak is complete, the digital license plate can “receive commands via Bluetooth from a smartphone app to instantly change its display to show any characters or image.” That means a driver can avoid tolls, red light cameras, or even automatic license plate readers (ALPRs).

Reviver, the leading vendor of digital license plates, touts them as customizable, tamper-proof, and a legal alternative to conventional license plates and registration stickers (at least in California and Arizona). According to their website, they piloted their digital license plates in 2016 via a partnership with California’s Dept. of Motor Vehicles as well as California Highway Patrol. A new 2022 law allows California drivers to “utilize Reviver’s suite of products as alternatives to conventional license plates, stickers, tabs, and registration cards issued by the California DMV.” They promise more than a gimmicky car accessory, requiring a service plan subscription in exchange for offering in-app vehicle state registration renewal, stolen plate/vehicle reporting, and regular feature updates.

However, fixing the jailbreak would require replacing the chips in each digital license plate because the vulnerability exists at the hardware level, not the software level. Reviver claims to have learned of the vulnerability for the first time when contacted by WIRED, despite IOActive’s attempts to contact Reviver for about a year. Reviver’s servers were hacked in 2023, so it’s not the first time the company’s had to deal with a security breach.

The digital license plate jailbreak comes at an interesting time for New York City commuters. The controversial congestion pricing plan – aimed at relieving traffic and pollution in Lower Manhattan while generating much-needed revenue for the City’s public transportation system – began yesterday, January 5, 2025. On top of that, New York State officials estimate that between $35 million and $55 million is lost annually to toll theft at the Thruway Authority, the Metropolitan Transportation Authority, the Port Authority of New York and New Jersey and smaller tolling agencies. Officials have put forth proposals to combat toll evasion such as making toll evasion a crime, increasing fines, and prohibiting the sale of certain items to used to obscure license plates. With imminent congestion pricing tolls and a proposed bill that would create a digital license plate pilot program, jailbroken digital license plates may soon become the must-have car accessory for New Yorkers.

A clipart image of a white lock on top of green lettering and a black background. — Photo by OpenClipart-Vectors on Pixabay

‘Encryption is Your Friend’: Federal Officials Urge Americans to Use Encrypted Messaging Apps

Joel Schmidt, Digital Forensics Staff Attorney

There was a time when the government couldn’t stomach the idea of Americans having access to apps that encrypted their messages without the government or the app companies having any way of reading them. In 2020 the Department of Justice argued that messaging apps that provide end-to-end encryption create “severe risks to public safety” because they'd be used to transmit illegal and harmful content and preclude the ability of law enforcement “to access content,” even with lawful authority (e.g., a warrant). This inability to access content, the government argued, would prevent them from being able “to investigate serious crimes and protect national security.”

To be sure, the government claimed to “support strong encryption,” it just didn’t like the idea of end-to-end encryption because neither the government nor the companies would ever be able to read your messages. (You know, encryption of the “strong” variety.)

The Federal Bureau of Investigation (FBI) even once went through the effort of secretly creating and spreading its own messaging app claimed to be encrypted but which in fact was run by the FBI allowing it to read all of the over twenty million messages sent using the app loaded onto specially modified cellphones. That effort is said to have led to the arrest of hundreds of suspected criminals, is the subject of a recently released book, and is being adapted into a Netflix movie.

Imagine, then, everyone’s surprise when last month news reports emerged that federal officials held a phone call with reporters in which they encouraged Americans to use encrypted messaging apps for messages and even phone calls. We were told “encryption is your friend” and were strongly urged to “use your encrypted communications where you have it.”

In written guidance [PDF] issued to “highly targeted individuals” but “applicable to all audiences,” the Cybersecurity and Infrastructure Security Agency (CISA) urged Americans to “[a]dopt a free messaging application for secure communications that guarantees end-to-end encryption, such as Signal or similar apps.”

Other written guidance from the National Security Agency (NSA), CISA, and the FBI encourages engineers at telecom companies to “[e]nsure that traffic is end-to-end encrypted to the maximum extent possible.”

Shortly thereafter, the Office of New York State Attorney General Letitia James issued a consumer alert encouraging New Yorkers to encrypt their messages and to be mindful of which encrypting messaging app they use. “When selecting a messaging app, make sure you understand what other information the app may collect or send, such as your location and profile picture, and whether that information is also encrypted.”

These recommendations came in the wake of revelations that the Chinese government engaged in a massive and ongoing hacking operation in which they infiltrated major US telecom companies to spy on Americans.

As the New York Attorney General suggests, choosing the right end-to-end encrypted messaging app isn’t as simple as it sounds. Signal is considered to be of the best and is the only messaging app specifically named in the CISA security guidance [PDF]. Of course, any messaging app offering end-to-end encryption is far better than no encryption at all, and Signal may not be an option if the person you’re trying to message doesn’t have the app loaded onto their phone.

All the encryption in the world is of no use if your phone itself is not properly secured, so make sure your phone is protected with a strong passcode and your messages are not being synced unencrypted to a cloud.

Policy Corner

A photo of a drone hovering in the forest at daytime. — Photo by Clay Banks on Unsplash

The Real Drone Panic

Diane Akerman, Digital Forensics Staff Attorney

The holidays might have been distraction enough for everyone else to move on from the mass hysteria caused by the NJ Drone Panic, but for the Digital Forensics Unit (DFU), panicking about drones is evergreen. While the NJ situation was “almost definitely a mass delusion caused by a bunch of people who don’t know what they’re talking about looking at the sky and reporting manned aircraft and hobbyist drones as being something anomalous,” we are here as the people who definitely (mostly) know what they are talking about to tell you why you the reasons you should, actually, be afraid of drones.

We are not here to tell you drones are not cool. Tech is cool! Have you watched drone footage from downhill mountain bike or cyclocross races? You should because it is extremely cool. You know what is not cool though? Law enforcement asking a private company to use drones to surveil someone’s home (won’t someone think of the curtilage?) without a warrant.

Also not cool? That, according to the latest report [PDF] released by the Office of the Inspector General for the NYPD (OIG) auditing POST Act compliance, the NYPD has (once again and again and again) failed to remotely comply with their own basic policies.

The NYPD first announced its Unmanned Aircraft Systems (UAS) program in 2018, which was implemented by TARU – the Technical Assistance Response Unit. Since 2019, the NYPD’s use of drones has slowly increased – both in the frequency and types of situations that drones are deployed. In July 2024, the NYPD vastly expanded their use of drones, and announced a pilot program called the “Drone as First Responder Program” which involved deploying drones to “priority public safety calls” including the very urgent priority of responding to bogus and unreliable ShotSpotter alerts. The steady increase in use of drones has occurred in spite of valid and ongoing privacy concerns about police surveillance due to the lack of “meaningful restrictions” on their use.

Those fears were founded. Not only do the NYPD’s policies [PDF] lack any meaningful restrictions, they are so out of date about the approval process, documentation, and most troubling about the drone’s capabilities – that they are useless for the primary purpose they are created - to provide the public with oversight and transparency about the NYPD’s use of surveillance tech. The policies contemplate that the drone program is implemented by – that is approved, documented, and piloted - exclusively by TARU, while in reality, the NYPD has created an entirely separate Drone Team. They make no mention of capabilities like glass breakers, real time two- and three-dimensional mapping, and most troubling, features that allow for fully autonomous patrols without human intervention. A promise that the drones are not equipped with weapons or facial recognition technology is no comfort in the face of an otherwise total lack of disclosure about the full range of the drone fleets capabilities.

The OIG could not even completely asses the program, as the NYPD failed to respond to many of OIG’s requests for information – something anyone familiar with Freedom of Information Law (FOIL) practice will find very relatable. The OIG made pretty basic requests, based on the NYPD’s only policy’s descriptions of how drones are deployed, including operator manuals, Remote Pilot Certificates, and deployment records for all of NYPD’s drone operations. The NYPD provided partial records 5 days before the final report was released and included only records from the Transit Bureau (who are apparently mostly concerned with teenage subway surfers).

So the real drone panic? That an agency that cannot, after four years, and numerous reports [PDF] detailing their failure to comply with a very simple transparency law, is allowed to maintain and deploy a fleet of over 100+ privacy invading flying autonomous cops.

State of the Surveillance State Address

Still from a PATH Train video surveillance camera of a person taking a picture of the camera. — Still from a PATH Train video surveillance camera with the passengers’ faces pixelated

The Inaugural State of the Surveillance State Address: New Year’s Privacy Resolutions

Jerome D. Greco, Digital Forensics Director

Good morning. My fellow skeptics, privacy enthusiasts, and disillusioned advocates for technology, we live in trying times. Despite some wins, it is increasingly difficult to protect our private lives from the all-seeing eyes of invasive government agencies and their corporate collaborators, especially as the lines between the two continue to blur. Where many of us viewed dystopian science fiction stories as horrifying warnings of what the future could become, others apparently learned a different lesson and aspire to be the villain or build the villains. They who build Skynet first, control Skynet…until they don’t.

Schools spy on their students, employers surveil their employees, and neighbors watch neighbors. Facial recognition technology leads to tunnel vision in investigations and false arrests, but its use continues to grow. Drones put cameras in the sky, and, at the same time, there appears to be an insatiable desire to increase the number of cameras on the ground – whether it be homes, businesses, public spaces, or public transportation. Our phones and cars act as constant location trackers, but we still rely on both.

There is an ever-growing number of tools and methods to surveil people and their communities, but potentially the worst of all is data collection, analysis, and distribution because it is the foundation of so many of these technologies. Every location, every action, every decision, is catalogued and cross referenced, whether it be to investigate you, to silence you, to change your opinion, or to sell you more items you do not need. Many other forms of surveillance feed into and/or rely upon the data that is constantly being collected on everyone, and the data broker industry is lucrative and barely regulated.

Our options are limited. It is not realistic for most of society to not send their children to school, to not work, to live isolated from others, to cover every inch of themselves to avoid identification, to ditch all forms of transportation, and to refuse to use mobile technology. Even when alternatives exist, they can be expensive, difficult to maintain, or have a steep learning curve.

While legislation is a necessity and I encourage our elected officials to finally address the many harms caused by the relentless pursuit of more data and decreased privacy, it would be naïve to assume that they will do so fully and quickly. Some of the smallest changes have taken many years to accomplish.

As a result, my request to all of you is to make at least one New Year’s resolution addressing privacy in your life. Like any good resolution, its success should be definable and its goal realistically achievable. It could be something as simple as taking down your Ring camera, switching to Signal for messaging with friends, using a passcode instead of biometric unlock, or uninstalling unnecessary apps on your phone. The resolutions will differ based on the individual circumstances of each of us; some of us will start using a VPN, others may choose to use Qubes OS and CalyxOS as their operating systems of choice, while still others may encrypt their devices and drives for the first time.

Take a step towards privacy today and let’s continue to fight for a future where technology works for us, not against us.