Data from Police Body Camera Apps Routed to Chinese Cloud Servers Over TLS Port 9091

Cybersecurity: Analysis of Police Body Camera Data Transmission

The security and integrity of police body camera footage are crucial for maintaining the validity of evidence in court proceedings. A recent investigation into a budget-friendly body camera system has uncovered that its companion mobile application, Viidure, transmits sensitive device identifiers and user data to cloud servers located in China via a nonstandard TLS port. This raises significant concerns regarding data privacy, chain-of-custody, and compliance with U.S. law enforcement policies.

Technical Findings

Wireshark packet captures on an isolated network revealed that the Viidure mobile application establishes encrypted sessions to multiple domains. Notably, the endpoint app-api.lufengzhe.com:9091 resolves to IP address 115.175.147.124, which WHOIS records confirm belongs to HUAWEI INTERNATIONAL PTE. LTD. in China.

Additionally, the application communicates over standard TLS port 443 with Baidu mapping services (api.map.baidu.com and loc.map.baidu.com), presumably for geolocation features. The use of port 9091 for core API traffic suggests custom server configurations or intentional obfuscation of data flows. Routing video-related metadata and device identifiers through Chinese-hosted servers poses potential exposure to foreign government surveillance and unauthorized access.

Man-in-the-Middle Analysis

A man-in-the-middle (MitM) test using the mitmrouter framework and mitmdump in upstream mode indicated inadequate TLS validation within the Viidure application. Iptables rules redirected both port 443 and port 9091 traffic through a local proxy chain terminating at Caido. Despite presenting a forged certificate mimicking the Chinese cloud server, the mobile application did not reject the connection, exposing all HTTP message contents exchanged between the app and the cloud in plaintext within the proxy logs.

Sensitive intercepted requests included a version check endpoint (/iot/api/v1/version/check), where the application transmitted the device’s International Mobile Equipment Identity (IMEI) and the operator’s email address. Exfiltration of IMEI values undermines device anonymity and enables tracking of individual officers and the sensitive video data they collect. Moreover, the lack of robust certificate pinning or TLS validation allows potential interception or manipulation of video-management commands.

Implications for Law Enforcement

Police departments nationwide increasingly rely on body camera ecosystems from third-party vendors. If a vendor’s infrastructure is located in jurisdictions with divergent data-protection regulations, videotaped encounters become vulnerable to data-sovereignty violations. The Viidure app’s communications to Chinese servers may contravene policies requiring secure, localized storage of evidentiary material. Exploiting flawed TLS validation could permit unauthorized actors to inject malicious firmware updates or delete footage mid-transit.

Agencies should demand transparency from body-camera manufacturers regarding data-flow diagrams, server locations, and cryptographic safeguards. Procurement contracts must ensure all cloud services reside within approved jurisdictions, employ TLS with certificate pinning, and undergo independent security audits.

To safeguard public trust, law enforcement professionals should:

• Protect chain-of-custody by configuring network firewalls to block unauthorized outbound traffic.
• Mandate vendors implement strict TLS server-certificate validation and pinning.
• Audit mobile applications for data exfiltration patterns and confirm compliance with CJIS and other data-security standards.

The integrity of police body camera evidence relies not only on the device’s recording capabilities but also on the security of its data-management pipeline. Low-cost solutions may introduce unacceptable risks, jeopardizing both privacy and prosecutorial efficacy. Continuous scrutiny of vendor implementations and adherence to stringent cybersecurity requirements remain essential to safeguarding public trust.