Netragard performs regular vulnerability research against software and hardware. While most of this research is customer confidential, some of the research is intended for disclosure. The focus of our research for this article was the AXON Body 2 Worn Camera which plays a critical role in protecting civilians and police officers. Due to the sensitive nature of the evidence collected by the AXON Body 2 it is particularly important that the device successfully maintains the Confidentiality, Integrity and Availability of the data that it contains.
Netragard opted to focus on BWC’s because they have largely remained out of sight to the public. Despite the lack of public exposure Axon has been very active in terms of advancing its security posture. Axon provides Penetration Testing & Vulnerability Disclosure Guidelines and also offers a private bug bounty program through Hacker One. Additionally, the Axon product line has a documented methodology regarding product safeguards, considerations and recommendations. Finally, Axon maintains tight control over the distribution of its software and firmware which further helps to improve on security.
The second generation of the Axon BWC was redesigned and built on an Amberalla System-on-Chip (SoC). Then the Axon Body 3 (the third generation) was redesigned again and based on non-Ambarella system. It is important to note that the Axon BWC’s were not available for purchase until recently, and now can be found at online marketplaces, such as e-bay. It is fairly common for products like BWCs to make their way into second-hand markets as they are replaced by more current revisions. While Netragard did not find a useful life recommendation for Axon BWCs, the useful life recommendation for Axon’s TASER® product is five years. Generally, these guidelines are based on failure in the field metrics. The same useful life recommendation may very well apply to the Axon BWCs.
Netragard’s interest in the Axon BWCs was the product of an article where a researcher found an unencrypted video on an SD card that was extracted from the Axon Body-worn camera. Netragard decided to perform research against a more recent generation of the Axon BWC to get a better understanding of its security. This resulting in Netragard acquiring several AXON Body 2 devices that were configured with firmware 1.11.16 and in online mode. Its important to note that Netragard has not performed any research against the Axon Body 3 BWCs.
Finally, we would like to thank Axon for their cooperation and support during this project. Their positive and welcoming attitude towards security and security research is yet another example of how seriously they take the security of their products. As of the authoring of this article, Axon has produced patches for the issues disclosed herein.
What Are BWCs?
BWCs are camera systems designed to be worn by police. These devices record both audio and video with the intention of collecting incontrovertible evidence regarding cases and disputes between law-enforcement officers and the general public. In recent months, many jurisdictions have moved to purchase BWCs for their law enforcement officers and require their use. With their critical role in law enforcement and the evidence that they contain, the security of BWCs is of paramount importance. If evidence can be inappropriately accessed, modified, or removed from these cameras, then it could impact the results of legal proceedings and could put innocent people at risk.
Introduction to the Axon BWC
Even though the Axon BWC products have been on the market for approximately a decade, their proliferation into non Law Enforcement Agencies is remarkably low. A timeline of releases is provided below:
- 2009: Axon Pro
- 2012 and 2013: Axon Flex and Body
- 2015 and 2016: Body 2 and Flex 2
- 2019: Body 3
Netragard opted to perform research against the Body 2, which was released five years ago, but is still in regular active use today. The current version is the Axon Body 3.
Get Access: A classic embedded security example
Gaining access to the internals of the Body 2 camera system requires a screwdriver. There were no notable physical security systems in place like what one might encounter with a credit card reader for example. The physical security of any product designed to contain highly sensitive information is of the utmost importance. Key questions to ask when designing such a product are:
- How much attack surface exists beneath the product casing and how can it be made tamper proof?
- What hurdles and/or defenses can be built into the product that will hinder or stop a modern hacker from being able to dismantle and analyze the device?
- Do your product design choices impact the post-launch security of the product?
A Closer Look
Beneath the battery and below the foil Netragard found an Amberella SoC alongside other chip-level components.
When peeling back the foil Netragard discovered a BCM43340XKUBG.
Chipsip CT49488DD966C1, Ambarella A7LW35M, SK Hynix H26M78103CCR are all visible among various test pads.
When the PCB was removed from its case it would no longer power on. It turned out that the case contained a small metal clip that would complete a circuit on the PCB. To circumvent this Netragard soldered a yellow wire to the board where the clip would normally close the circuit. Once this was done Netragard was able to power the board on via its USB charging cable which is also used for synchronization with the Evidence Sync product.
Netragard also purchased bootleg versions of cables needed to connect the PCB to the Evidence Sync product from Amazon. Screenshots of these cables are provided below.
Connecting to Evidence Sync Software
Extracting evidence from the Printable Computer Board in the AXON Body 2 proved to be more challenging than expected. This is not because of additional security layers but instead because it is exceedingly difficult to find a copy of the Axon Evidence Sync software. While it took Netragard less than one hour of cumulative time to acquire all the hardware referenced above, it took several weeks to locate a usable copy of the software shown in the image below.
The AXON Body 2 does not mount like a traditional mass-storage device and requires both drivers and Evidence Sync software. Once connected to the Evidence Sync software Netragard discovered that the data stored on the AXON Body 2 was not encrypted at rest. If encryption were in use (it can be configured on the AXON Body 2 in online mode), then evidence extraction would be blocked without a key.
The Various Modes
The AXON Body 2 supports three operating modes. A high-level overview of these modes is provided below while a more detailed overview is provided by Axon at the following URL: https://help.axon.com/hc/en-us/articles/221458387-Operating-modes
In the online mode, the Evidence Sync software uploads data from your Axon and TASER devices to your Evidence.com or Evidence.com lite account. CEW firing records are automatically uploaded to Evidence.com, but you will have to tell your Evidence Sync to upload TASER CAM and Axon videos to the Evidence.com website.
In the offline mode, the Evidence Sync software downloads data from your CEW or recorder to your computer. If your organization does not use Evidence.com, you will always use Evidence Sync in the offline mode.
Note: Enabling Offline Mode requires users to accept a disclaimer acknowledging risks to the agency and data. This mode does not appear to provide the same level of integrity (in terms of chain of evidence) as Online mode. It also places data in the user’s PC which may or may not be properly protected.
A mobile data terminal is a computer used in a police car. An MDT may also be called a Mobile Data Computer (MDC) or Mobile Computer Terminal (MCT). Evidence Sync has an operating mode for use with an MDT, called MDT Mode.
Note: In MDT mode (unlike Online or Offline mode) there is no way to remove video evidence from the device.
Some of the modes mentioned above come with restrictions as shown below. The Axon Evidence Sync software is mode aware, meaning it can detect which mode the AXON Body 2 is in.
The Evidence Sync application is mindful of camera state, and limits access accordingly.
Online mode has a much more complex authentication and user management interface for evidence.
Without a proper agency login, the additional functionality to remove videos is not present for example.
Potential Attack Vectors for Axon Body 2
With access to the Evidence Sync software, it is possible to access videos for devices in Offline mode (which is not the default) while videos on devices in Online mode remain inaccessible. When reverse engineering the Evidence Sync software, it appeared that it would be possible to create a modified version which enables an attacker to subvert the built-in security controls.
Software Reverse Engineering
With access to the Evidence Sync software it is easy to learn how the underlying system works.
With the proper analysis and access, an attacker could develop their own Axon tools.
Targeting specific desirable administrator functionality would likely be the end-goal for an attacker.
Evidence is transferred from a Body 2 to the Evidence Sync software via USB. This transfer uses the LibUSB protocol, making it trivial to observe and reverse-engineer. This could allow an attacker to snoop on the USB communications between a Body 2 camera and the Evidence Sync software, providing access to the videos.
The communication transport for Axon Body is based on LibUSB which makes it easy to observe. An attacker with sufficient time could use this to engineer a standalone program to extract any evidence off an Axon Body 2 BWC without needing to use the Axon Sync application.
Common USB Sniffing Options:
- TotalPhase (hardware)
- Ellisys (Hardware)
- Vmware Vusb-Analyser
Broadcom Wireless SoC – BroadPWN
While disassembling the Axon BWC (Body 2), Netragard discovered a Broadcom WiFi BCM4334 chipset which is vulnerable to the BroadPWN vulnerability. BroadPWN is a Remote Code Execution (“RCE”) vulnerability that when exploited allows an attacker to execute arbitrary commands. Exploits for this vulnerability do exist in the wild but are generally designed for Android and iOS targets. Modifying the exploit to target and the BroadPWN vulnerability in the Axon BWC is not a trivial task. Additionally, Axon implemented mitigations for this vulnerability in the newer versions of its firmware. Netragard has not tested the efficacy of these mitigations.
The following image contains disclosure commentary about the BroadPWn vulnerability affecting BCM43340XKUBG.
An attacker can easily detect Bluetooth Low Energy (“BTLE”) signals broadcast from Axon BWCs by searching for its private OUI which is 00:25:DF. Additionally, some AXON Body 2 devices broadcast a device name via their MAC address 12:20:13:03:33:05. While it is possible to disable wireless functionality, this may not be a viable solution for some parties. While detecting an AXON Body 2 does not introduce risk, it does enable an attacker to target the device which could have a significant impact. The following images show the various ways Kismet can detect these devices.
The Axon Body 2 BWC is a critical piece of hardware that ensures both civilians and law enforcement officers are protected. This is accomplished by recording both audio and video evidence. This evidence can mean the difference between freedom and imprisonment as demonstrated through various recent public incidents.
Axon was made aware of this research project well before the publication of this article. Axon was not only cooperative but provided support as needed and maintained an open and friendly communication channel with Netragard. Axon has addressed the vulnerabilities disclosed in this article and the fixes have already been pushed to customers.