How to secure body-worn cameras and protect footage from cyber threats

TL;DR  

• Body-worn cameras are used by police
• Cameras are taken into the field but footage could be presented as evidence
• Cryptographic approaches are needed to ensure the confidentiality and integrity of captured video and audio

Cybersecurity challenges of body-worn cameras in public safety 

Body-worn cameras are typically used in public safety situations (e.g. by police officers or private security) and have an interesting cyber threat model.  

These cameras are frequently used to capture evidence of crime scenes, potential perpetrators, and victims and the video is often presented as evidence in courts. The cameras are worn in a somewhat uncontrolled environment but any footage that needs to be retrieved must be handled in a verifiable chain of custody.  

• Destruction of captured video is less of an issue as the camera could simply be smashed (unless they are live streamed). 
• A stolen or found camera should not have its footage viewable. 
• Footage and timestamps must be verifiable. 
• Connecting a camera to upstream systems to retrieve footage must not pose a risk to those systems. 

Mitigating cyber threats to body-worn cameras in law enforcement 

Assuring the confidentiality and integrity of camera footage therefore needs two cryptographic approaches: 

Encrypting the video footage at rest on the camera would normally be accomplished with a symmetric AES key for speed but this could lead to a key being shared amongst a fleet of cameras (or, the need to manage a large number of keys) and the potential for recovery of a key allowing decryption of footage. 

An asymmetric public / private keypair is therefore the better option as this allows a shared public key to encrypt footage with only a centrally-held private key able to decrypt it. 

Ensuring the integrity of captured video is likely to become more important as the capabilities of generative AI increase. Cameras would need to sign footage using a private key issued by a trusted signing authority which can then be verified using a certificate chain. This is a traditional PKI model and also requires that the camera keep the key secure although a breach only affects that one device. Tracking certificate revocation in the case of lost or stolen cameras is therefore important. 

These types of devices are predominantly used by organisations at significant threat from organised crime groups. Because cameras are taken into the field and then returned to an office to recover footage they pose a risk to these upstream systems.  

If a compromised camera were connected to a network an attacker might then be able to use it as a pivot point and attack the rest of the network. This could also have implications to the integrity and confidentiality of video footage if an attacker is able to manipulate any of the keys. 

Verifying firmware through signing and secure boot is therefore critical to maintaining the trust of these portable devices. 

Many newer models incorporate Wi-Fi and BLE for livestreaming and local control from a companion app. Asides checks for traditional vulnerabilities against these protocols, vendors should also ensure that cameras do not inadvertently broadcast themselves and allow third parties to track them. 

Summary 

1. Use asymmetric ECC ciphers to encrypt video footage on body worn cameras using the public key.
   Once recovered onto a central server and decrypted using the ECC private key, symmetric AES keys can be used for long term archival storage for speed if needed. 
2. Use a PKI signing model with a trusted issuing authority generating per-camera private keys for video footage signing. 
3. Store cryptographic keys in a TPM or TrustZone. 
4. Sign firmware using a separate public and private keypair and use secure boot where possible. 
5. Consider adding device tamper detection for high threat customers.