EFF: New License Plate Reader Vulnerabilties Prove The Tech Itself is a Public Safety Threat

Automated license plate readers "pose risks to public safety," argues the EFF, "that may outweigh the crimes they are attempting to address in the first place." When law enforcement uses automated license plate readers (ALPRs) to document the comings and goings of every driver on the road, regardless of a nexus to a crime, it results in gargantuan databases of sensitive information, and few agencies are equipped, staffed, or trained to harden their systems against quickly evolving cybersecurity threats. The Cybersecurity and Infrastructure Security Agency (CISA), a component of the U.S. Department of Homeland Security, released an advisory last week that should be a wake up call to the thousands of local government agencies around the country that use ALPRs to surveil the travel patterns of their residents by scanning their license plates and "fingerprinting" their vehicles. The bulletin outlines seven vulnerabilities in Motorola Solutions' Vigilant ALPRs, including missing encryption and insufficiently protected credentials...

Unlike location data a person shares with, say, GPS-based navigation app Waze, ALPRs collect and store this information without consent and there is very little a person can do to have this information purged from these systems... Because drivers don't have control over ALPR data, the onus for protecting the data lies with the police and sheriffs who operate the surveillance and the vendors that provide the technology. It's a general tenet of cybersecurity that you should not collect and retain more personal data than you are capable of protecting. Perhaps ironically, a Motorola Solutions cybersecurity specialist wrote an article in Police Chief magazine this month that public safety agencies "are often challenged when it comes to recruiting and retaining experienced cybersecurity personnel," even though "the potential for harm from external factors is substantial." That partially explains why, more than 125 law enforcement agencies reported a data breach or cyberattacks between 2012 and 2020, according to research by former EFF intern Madison Vialpando. The Motorola Solutions article claims that ransomware attacks "targeting U.S. public safety organizations increased by 142 percent" in 2023.

Yet, the temptation to "collect it all" continues to overshadow the responsibility to "protect it all." What makes the latest CISA disclosure even more outrageous is it is at least the third time in the last decade that major security vulnerabilities have been found in ALPRs... If there's one positive thing we can say about the latest Vigilant vulnerability disclosures, it's that for once a government agency identified and reported the vulnerabilities before they could do damage... The Michigan Cyber Command center found a total of seven vulnerabilities in Vigilant devices; two of which were medium severity and 5 of which were high severity vulnerabilities...

But a data breach isn't the only way that ALPR data can be leaked or abused. In 2022, an officer in the Kechi (Kansas) Police Department accessed ALPR data shared with his department by the Wichita Police Department to stalk his wife.
The article concludes that public safety agencies should "collect only the data they need for actual criminal investigations.

"They must never store more data than they adequately protect within their limited resources-or they must keep the public safe from data breaches by not collecting the data at all."

Re:

[DarkVader]

Done in one.

ACAB.

Re:

[Tony Isaac]

People like you are tempted to think that cops are evil, until there are no cops. If you hate cops so much, Haiti is the place for you. The gangs have taken over. Somalia also comes to mind. Also, many crimes spike during hurricanes, when police are unable to respond as they usually would.

Re:

[pixelpusher220]

What other public profession routinely LIES so much we had to put body cameras on them to prove they aren't lying?

There are good cops. They also aren't reporting or stopping their fellow bad cops doing bad things. As such, ACAB

Re:

[Tony Isaac]

The real truth is, body cameras are often there to defend against lies told by defendants about their treatment by police. People who commit crimes, would love to be able to cast doubt on their own bad behavior, by blaming police. With body cameras, that option is taken away from them. I'm sure such people do think that police are terrible.

You clearly have a major beef with police. But you have no actual evidence that police are as corrupt as you say they are. I'm sure you can come up with some anecdotes, b

Re:

[pixelpusher220]

Sounds pretty white there dude.

Re:

[Tony Isaac]

And there it is, you are making assumptions about my race based on my support for police. That...is racist.

Re:

[LostMyBeaver]

It could be possible it's a bit of both.
I grew up in a place and time where I was regularly harassed by cops for simply being an adolescent. I knew good cops, guys I trusted. But I knew a bunch of cops that had a lot more money than they should who spent their time with friends wearing very expensive suits.
This was NY during Gotti Sr's reign.
Police cameras would have been a REALLY good thing.
In more recent times, I have seen cops treat a friend of mine whose only crime is a blood disease that makes him look

Re:

[Tony Isaac]

Yes. Police do make bad choices sometimes. And cameras, in that they reveal the truth, are a good thing. If a cop is rotten, they *should* be put away, and hopefully the camera evidence will help do that.

Re:

[ls671]

What other public profession routinely LIES so much we had to put body cameras on them to prove they aren't lying?

There are good cops. They also aren't reporting or stopping their fellow bad cops doing bad things. As such, ACAB

It's the same in all professions, there are good ones and bad ones. Your ACAB is therefore pure non-sense.

Re:

[jythie]

The people who say 'ACAB' want police, they just acknowledge that the current police are little more than another gang who happens to have enough legitimacy to get government support.

It is interesting that you reference Somalia since that is a paradise to the pro-police crowd. Police there are local and answer to local powers, there is no oversight and the population has no counter against them. Somalia is what happens when there is no balance against the police.

Re:

[Tony Isaac]

Only those who want to rebel against the law, would view police as "just another gang." For those of us who want our streets to be safe, we value the role of police and insist upon their presence.

Police should indeed be restrained. That's why we have a Constitution. There is a such thing as police corruption. But this is not the norm in the US. If you want to experience police corruption, visit any country south of the US, where bribes are the norm. That kind of police force can indeed be "just another gang

Storage

[markdavis]

>"it results in gargantuan databases of sensitive information"

I would argue that. It doesn't "result in", but it CAN result in, or maybe even USUALLY results in. It brings about the question as to why they are installed and how they are using them.

If they were just buffering data and sending it along to be compared to some database of wrong doing or active threats/chases/issues and then the data is discarded, that poses minimal privacy or safety concerns. And that is unlikely how most of this is done.

Re:

[Baron_Yam]

The way it used to work was a daily download of wanted plates, with notes as to why, to every ALPR unit. They would then only record and notify on hirs against that database and the cop would decide if it was worth a stop and a live records check.

Maybe that's changed with ubiquitous low-cost cellular data. It's been a while since I've been involved with that stuff.

But even if it hasn't, it's easy enough to collect everything and upload it automatically on return to home. Typically there are already robus

Re:Storage

[sunderland56]

This. Look up plate, if no match then discard.

There are not only privacy concerns here; a 'gargantuan database' costs the taxpayers money.

Re:

[jacks smirking reven]

I think this gets a little bit messier since I imagine in most states but at least in mine ALPR is also used for over 90% of toll charges with most of the major highways near me effectively using that almost exlusively, a recent large expansion only uses ALPR, the RFID readers for the old school system did not even get installed as far as I am aware, it's all charge by plate so you already have this defacto database of drivers and when they pass through tolls and that gets stored for quite awhile so custome

Re:

[markdavis]

Even in that case, the data only need to be saved if a ticket is to be issued or a toll is charged. I ride a motorcycle so it is toll-free, but I can almost guarantee the data are still stored. Regardless, once the dispute period is over, I doubt the data are purged.

Besides, there are far probably far, far more ALPR's and general video cameras for non-toll-use than for toll-use. I lump general video into the mix because at least some of them could be turned into a reader through post-facto analysis. Jus

Re:

[jacks smirking reven]

Yeah I think the only way around this is Federal or at the very least comprehensive State regulations on data storage policies and enforcing that the equipment and services necessary to accomplish that are factored into the costs of the systems. Before municipalities go around throwing these sytems with just cameras cameras cameras everywhere and then worry about the data afterwards those long term costs should have to be built into prodcurement prices. Might change their tune if these things if suddenly

Re:

[93 Escort Wagon]

Those collectors are a sparse set, placed in fixed locations. Their use can also be considered at least somewhat voluntary.

Even a semi-competent admin should find it simple enough to segregate those datasets from the ones being collected through mobile license plate readers. Or, for that matter, even if it's all kept in one database - since the location data is recorded (it has to be, to enable the desired functionality), it would be simple enough to remove all data points that don't correspond to one of th

Re:

[cayenne8]

I imagine in most states but at least in mine ALPR is also used for over 90% of toll charges with most of the major highways near me effectively using that almost exlusively

It has been a VERY rare thing in my life to ever see or have to deal with a "toll" road.

I would venture that in most states...toll roads are pretty rare...?

Re:

[jd]

Why? You don't have to store each license plate individually, as per an RDBMS. You can have the license plates stored in a parse tree. Indeed, any decomposable data can be stored in trees. Trees are highly space efficient for this, because you never store the license plate itself, its position in the tree IS the license plate.

All searches become tree searches, which is also likely to be faster than any decent hashing algorithm and a lot faster than most RDBMS lookups.

Each node needs two ID numbers, one poin

Re:

[stooo]

>> Look up plate, if no match then discard.
It does not work that way. Lookups are recorded too (and for good reasons).
Now try to design a system that does not record lookups, but still prevents abusive rogue users....

Re:

[strikethree]

a 'gargantuan database' costs the taxpayers money.

You have no idea how much you are paying to have the various levels of government to store and access data. The data trails that your life leaves behind are absurdly large, that is why the commercial sector is involved at all. It is too much for a government to manage... but they want access to ALL of it. Whether or not you are an ally is of supreme importance. If you will support the powers that be, your life will be pleasant and relaxing until their policies tank the country for everyone (Putin). If you o

Re:

[markdavis]

>"The only way to be safe is for these things to not exist at all."

I have said that for ages and end up being told that it is a slippery slope fallacy. Or the ever-present "no expectation of privacy in a public place."

>"Going after it for being insecure is the best way to get rid of these things"

It is a good and valid reason (among others), for sure.

* They will always find some reason to save/store the data.
* The temptation to misuse such saved/stored data is always very high.
* If the data is collect

Re:

[pixelpusher220]

yep. We're coming up on a dangerous place. There was just a court case where cops set up a camera *across the street* to observe someone's house. For 80+ days.

Was ruled as not an invasion of privacy. 80 DAYS of surveillance w/o any warrants and not a violation.

Soon it won't be necessary to do tracking surveillance when you can access lots of 3rd party 'public' systems to build your entire travels that day.

I have experience with this

[Baron_Yam]

Can't say where or who of course, but I was involved in the implementation of a regional ALPR system.

It started as a program to catch wanted individuals by checking for plates linked to people with active warrants or prohibited drive orders. Then they added checking for expired plates or insurance. Then they added checks for known associates of people of interest.

The one they hadn't implemented by the time I left was the complete data hoover - adding permanent cameras at major intersections and doing regular patrols of mall parking lots with mobile units and recording everything, then keeping it basically forever so they could mine the database for any vehicle's movements as far back as the records went.

The justification was to look for vehicles present at multiple crimes. The potential for abuse was so great I assure you I risked my career resisting it. It's not hackers getting access, it's cops stalking people you should be afraid of. The ones who have a beef with someone and want to settle it extrajudicially, the ones who can't take no for an answer from the object of their romantic interests, the ones who want to our somebody for going to the 'wrong' store or social gatherings.

Without very tight rules, strict enforcement, and draconian punishments... You should not allow cops to collect this kind of data. It is only a matter of time before you regret it.

Re: I have experience with this

[Impy the Impiuos Imp]

The only way around this is for private citizens to set up license plate readers, then broadcast the locations politicians go to.

No, government politicians. If you're gonna do a panopticon, which is a tool dictatorships use (someone should write a book about that!) then you suffer from it, too.

Re:

[Baron_Yam]

So Toronto used to have a mayor who would have his driver park illegally everywhere he went. It's not like he had to pay, right?

People noticed the custom plates, and it started getting tracked and reported to the news media. So they ditched the vanity plates and the scandal went away.

Without a trustworthy database of plates, you're just whipping up a mob against what might be innocent people.

Re:

[ArchieBunker]

Was that the mayor who smoked crack?

Re:

[Baron_Yam]

I actually think it was the bipolar furniture salesman, but I'm not sure.

Re: I have experience with this

[ArchieBunker]

Oh they will pass a law overnight making that illegal. Just like they did after Elon and Taylor Swift jet tracker gained popularity.

Re:

[dfghjk]

"...Elon and Taylor Swift..."

LOL you know those were years apart, with lots of action in between, right? Elon, most definitely. Taylor Swift, just some daily news.

Re:

[AmiMoJo]

That has already happened in the UK. We have had an extensive network of ANPR cameras for years, all feeding data back to the police.

If you want to set up your own, you need to be complaint with GDPR. Naturally the police can justify their use of such data for law enforcement, but as an individual it is much harder. In fact if you tried to monitor the movements of individuals, it would be impossible - what reason could justify such an invasion of privacy?

Even domestic CCTV is supposed to minimize the area i

Re:

[Eunomion]

Panopticons, while dangerous, are overrated as both a threat and a tool. Several times, history has proven they're a money pit that swallows whole institutions in the amount of data they create, and that was before the absurd quantities generated by mass-computing. The most infamous of all time, East Germany, had practically buried itself alive in its own spy architecture, to the point that a full third of the population was employed to spy on the rest and each other.

One caveat is that this happens onl

Re:

[detritus.]

This would be an excellent way to raise public awareness - set up a real-time ALPR rig with a digital billboard type display that displays to drivers a snapshot of the back of their vehicle with their license plate number.

One could probably hack something together pretty easily with plateanalyzer.com or openalpr.

Re:

[ArchieBunker]

adding permanent cameras at major intersections and doing regular patrols of mall parking lots with mobile units and recording everything, then keeping it basically forever so they could mine the database for any vehicle's movements as far back as the records went.

It's happening all over. https://theappeal.org/with-vas... [theappeal.org]

Careful of privacy laws

[redelm]

Many jurisdictions have laws forbidding general access to plate database information. (However poorly enforced.) ALPRs might be in violation if they hit the general DB and not some hotlist. A less-incompetant defense attorney might be able to invoke "fruit of the poisoned vine".

Re:

[Baron_Yam]

In the setup I am referring to, all the data is in police hands so (at least here) privacy act doesn't apply so long as the data is used for police purposes.

The feds here are pretty serious about cutting off agencies that abuse data - I've seen people walked out the door for inappropriate access, and they don't even bother to discuss it with the union (sorry, 'association'). You're just gone and nobody talks about it.

I've never seen provincial data abused, but I get the feeling the OPP doesn't fuck around

Re:

[redelm]

Granted Canada is a distinct society. With different checques and balances. Abuses tend to cause complaints which tend to come out in courts and/or press. Imagine a child custody/support case hingeing on ALPR data. Even lazy US press might cover it.

Re:

[Baron_Yam]

'Cheques and balances'. Well played. Very well played.

But with respect to Canada, 'distinct society' is a politically incendiary term - it is used by French separatists when demanding special treatment under federal law.

Re:

[redelm]

Notwithstanding bloques claiming the same within N.America. I am honoured and aware.

Re:

[dfghjk]

Correct, it is a tool to commit crimes, not to solve or prevent them. The only question is who is doing the committing.

Re:

[detritus.]

I'm waiting for when they start tracking bumper stickers to sell to data brokers and alert cops of the contents of "high risk" vehicles in the vicinity based on the content.

There won't be any tight rules or strict enforcement. Whether regional or centralized, self hosted or in the cloud, it's software rife for abuse and data rife for stealing. Police who collect this kind of information on citizens are violating their oath to protect the privacy rights of citizens. These theories where they believe they

Re:

[strikethree]

The one they hadn't implemented by the time I left was the complete data hoover - adding permanent cameras at major intersections and doing regular patrols of mall parking lots with mobile units and recording everything, then keeping it basically forever so they could mine the database for any vehicle's movements as far back as the records went.

This is the current stage where I live.

Ah ... technology

[Kiliani]

I have personal experience with these readers not being able to discern "I" from "l". And I know, you can't either ;-) Gladly in my case it was comical and annoying, not serious and with bad consequences. The fix was even more comical than the problem ... it was "we'll just store all the possible permutations". Which, you know it, *will* cause problems some day in the future.

Re:

[antdude]

I really hate Arial and Helvetica fonts with I, l, etc. :(

Re:

[jacks smirking reven]

License plate removal and obscuring alrady is becoming a big problem with these systems so it's become this sortof cat and mouse game. That said I hope the authorities realize they also have to scale back on automated systems as part of combatting that because that is a real problem so you do in fact want to enforce pretty hard on people who do that.

IMO plate removal or obstruction should be automatic suspension, it's not something we can tolerate on the roads but you also have to deal with the factors tha

Re:

[jacks smirking reven]

Yes suspension of license. Driving is a priveldge and intentional removal or clouding of info to circumvent the law can constitute revocation of that privledge.

It's your reponsibility to ensure that you license is valid and readable. If it's caked with dirt that's on the officers discretion but it is technically illegal. I would say you get a warning but 2, 3 times? No more warnings, you can make your case to the judge.

My entire point you sortoff glazed over is laws do in fact to take into account how pe

Re:

[jacks smirking reven]

I believe driving is a right.

I think you could make that argument, i dont necessrily disagree with it, I'm a big "Second Bill of Rights" guy so im open to it but that does mean positive rights are a thing, no way around it. Just so we are clear. The fact people rquire cars in America is a weird American side effect we are struggling with, I don't think guaranteeing road access for the worst or most unqualified drivers is exactly the solution though. We require discipline and responsibility on the public roads, it is a shared space wi

Re:

[stooo]

>> Suspension of what? Their license to drive? The registration of the vehicle?
Take away the vehicle on the spot.
That is how it's done in Europe, and it's nicely effective.
The resulting bipeds do not need a license plate, and are thus not illegal any more.
They also strangely quickly put back both their license plates to get the car back.

Re:How long before people take off license plates?

[crunchygranola]

Civil disobedience has been used with considerable success in the past to get change from government when applied widely enough. If automated license plate readers start posing enough of a hassle and hazard to people then people will just remove their plates and accept the consequences of being caught without a plate.

"Will just" is doing a helluva lot of work there. The consequences are being busted the very first time they pass a cop on traffic duty (highway patrol are always on traffic duty). In California that is a $197 fine plus court costs for the first offense. Continued infractions and you will lose your license.

Only a massive coordinated campaign for a lot of people to do this at once would work.

Most passive civil disobedience of this sort is not the glaringly obvious in public sort that gets you instantly busted. Now civil disobedience demonstrations are like that, but they depend on lots of people getting together at once.

Re:

[Nkwe]

The consequences are being busted the very first time they pass a cop on traffic duty (highway patrol are always on traffic duty). In California that is a $197 fine plus court costs for the first offense. Continued infractions and you will lose your license.

In California does the highway patrol actually pull people over for minor infractions or missing plates? I ask because up here in Oregon, traffic enforcement has basically been halted since the pandemic. It is extremely rare to see anyone pulled over. There are lots of vehicles driving around with expired registration and missing plates. Oregon requires license plates on both the front and rear of the car, yet a missing front plate is common - particularly on Tesla sedans. Excessive speeding is rampant. Off

Re:

[rthille]

My brother (way back when) was driving his new car without CA plates (euro-delivery VW) within a few days of picking it up at the port and a CHP pulled him over and wrote him a ticket for driving the car unregistered.

Re:

[bloodhawk]

missing plates is not a MINOR infraction and yes they absolutely will pull you over for it.

Re:

[strikethree]

"Will just" is doing a helluva lot of work there. The consequences are being busted the very first time they pass a cop on traffic duty (highway patrol are always on traffic duty). In California that is a $197 fine plus court costs for the first offense. Continued infractions and you will lose your license.

I can assure you that where I am, I am seeing LOTS of cars without valid plates. Possibly as high as 1% are without valid plates. It takes less than 20 minutes of driving to spot several of them.

i am sure it happened already

[FudRucker]

the system been cracked, hacked and smacked and all the data bled out and soldcon the dark web

Re:

[AmiMoJo]

If it had then security researchers would have published that fact by now, and scammers would be sending you emails claiming to have your driving history and threatening to send it to your family and employer.

It's only a matter of time, but it doesn't seem to have happened yet.

Fuck off

[backslashdot]

I should have the right to collect video surveillance of public areas to keep my home and neighborhood safe. If you don't like it don't come around here. At the same time, I can understand how it would be petty to use video surveillance to out someone who is having an affair or visiting a strip club. I'd favor a law making video surveillance 1. unusable in prosecution of crimes other than ones that are seriously violent or heinous, and 2. illegal to use for the purpose of defamation 3. illegal to store without safeguard 4. illegal to keep for more than 30 days.

I'm not giving my right to keep myself and my neighbors safe because you want to jerk off on the street or visit your side chick.

Re:

[mrbester]

I'd like laws in UK to not be enabling this movement surveillance by the back door: ANPR cameras are everywhere so your vehicle movements are tracked. Then there's sections 163 and 164 of the Road Traffic Act that enable any constable to stop any car at any time and demand personal details of the driver (no suspicion of crime required). Add those two together and you've got the movements of an individual being tracked (even if the car can be driven by more than one person, that is likely to be a spouse or f

Re:

[mrbester]

* sliding of there = showing if there.

Fukkin autocorrect.

Re:

[backslashdot]

I think there should be a frequently audited multi-party notification system whenever a cop accesses surveillance info. That way any harassment usage would at least require a large number of conspirators. The parties notified of surveillance usage must be composed of a frequently changed random/independent citizens at least a few of which are chosen the same way as jury duty. Furthermore, any person who was tracked or identified via surveillance must be notified within 120 days of it.

It's not the same

[lamer01]

You are definitely allowed to record at a single location. But, if you have a network of devices recording at many locations and the data is indexed in a way that a person's whereabouts can be tracked in space and time then that requires a warrant afaik.

License Plate Numbers are PII

[laughingskeptic]

License Plate numbers have become PII through these data collection efforts. This means that companies and government agencies that are not treating the disclosure of License Plate Numbers as disclosure of PII are breaking the law.

Re:

[laughingskeptic]

The Federal Government's definition of PII has no exception for Public Information:

Personally identifiable information (PII) is ANY information connected to a specific individual that can be used to uncover that individual's identity, such as their social security number, full name, email address or phone number.

You are missing the point. By allowing the unfettered aggregation of the state's data the government has failed its citizens.

If you are a property owner, your full name and address are pub

what crimes are they attempting to address?

[dfghjk]

"...that may outweigh the crimes they are attempting to address in the first place."

They weren't created to address crimes "in the first place", that was merely a public justification.

Much ado about very little

[timholman]

The article concludes that public safety agencies should "collect only the data they need for actual criminal investigations.

Which is exactly the way the law is written where I live. Ten day maximum retention of data (to allow the police to backtrack in case of a felony investigation), the city retains all data, access to the database is restricted to authorized personnel with all requests logged and audited, no use of the database for traffic violations or any other minor infractions, and all LPR "hits" m

Re:

[schwit1]

It is a big deal because the government can't be trusted. The people in government have learned that there are no consequences when they violate the law.

The most they get is a slap on the wrist.

Consent?

[fahrbot-bot]

ALPRs collect and store this information without consent and there is very little a person can do to have this information purged from these systems...

Is there an expectation of privacy when out and about in public, even for your vehicle?

The problem's not the reader

[russotto]

It's the requirement to have a license plate. Wise heads will intone that you need to have license plates or you have no accountability. Well, you can have accountability or you can have freedom; one is the opposite of the other. If you are being held to account (i.e. punished), you are not free.

Relatively easy to do

[ZipNada]

I can build an ALPR unit for about $100 in parts, but it would require wall socket power so that limits the locations where it could be placed. Adding enough battery for a few days of power would be about a hundred more, and a solar panel would not be much extra. That unit could be put anywhere I own or have permission.

My point is that it's so cheap to make these that it will be very hard to prevent proliferation.

Vigilant devices

[ZipNada]

The main problem mentioned here is the crap security in the Motorola license plate readers. A serious blunder on their part to be sure and a black mark on their reputation, but presumably fixable.

It should also be possible to cause those systems to limit the data storage and provide appropriate filters and access permissions. But will police departments insist on this? Probably not on their own.

Plate Injection

[devslash0]

Evil'; DROP TABLE plates; SELECT * WHERE '1'='1

Re: Plate Injection

[devslash0]

In case we're dealing with atomic multi-statement queries. The actual payload would need to correctly guess the names of the fields in the original query. Otherwise, we'd have a "hanging" bit of a query left which would trigger a syntax error, potentially failing and preventing to commit the whole thing.

The same logic applies to security cameras

[Tony Isaac]

Nearly 100% of businesses and government agencies, and a very large number of homes, rely on them. These cameras are often easy to hack as well.

While there are some people who loudly object to security cameras in principle, most, judging by their actions, embrace them.

The solution here is to address the security flaws, not eliminate the readers.

Poor security is inexcusable.

[jd]

Yes, cybersecurity is a moving target, but we're talking about real basic stuff here. Detecting if encryption is enabled isn't hard, for a start. But intruders really shouldn't be getting that far.

Really, if intruders are making it past the external firewall/NIDS arrangement, there's already a problem. Connections to secure facilities should only be from trusted sources, and if your sources are trusted, they can be over IPSec or WireGuard, which means you can verify that the connecting computer is who they say they are.

Arguably, for a government system, you should have strong authentication of the remote network being connected from, strong authentication of the remote machine that is connecting, AND 2FA (with the second factor a Class III digital certificate on a smart card, a system the Federal Government in the US started rolling out in 2001) to authenticate the user.

That should be to just connect to the network hosting the software.

Users should not have direct access to the software itself, but only to a secure proxy that sits in a subnet specifically for it and nothing else, where the proxy is either a single-process OS like SEL4 or a tightly controlled environment where it's pointless to break out.

At thus point, the defective security of the application really shouldn't matter a whole lot.

New product idea

[MooseTick]

I can a product being popular that blocks a license plate being read while parked. You can't drive with no plates without risk of being pulled over, but you could easily block it from being read whenever parked and lots of services and police scan cars parked at stores, malls, apartments, etc. It could even still show the registration sticker so places can be sure they aren't "expired".

gargantuan databases

[strikethree]

few agencies are equipped, staffed, or trained to harden their systems against quickly evolving cybersecurity threats.

LOL, this data is being exported to the "cloud". They are not managing it locally. Worse yet, numerous departments use the same cloud provider, so someone is aggregating all of this data and the agreements (yes, I have personally seen them), do not specify clearly ownership or access to the data.

TL;DR, The panopticon is in place. You thought the "cloud" was secure, but it is not. It explicitly grants access to privileged organizations that would not normally (legally) have access to such information.