Australian police officers at risk of real-time tracking by malicious actors

Malicious actors can use legitimate Android apps to monitor Australian police officers in real time by tracking their Bluetooth-enabled tasers and body-worn cameras, an ethical hacker has warned.

 

The hacker demonstrated in an interview with ABC News’ investigative journalism programme Four Corners that anyone can use easily-available Bluetooth scanning applications available on Android app stores to track the locations of law enforcement officers at distances of up to 400 metres.

 

The security nightmare stems from a hardware vulnerability in Bluetooth-enabled tasers and body-worn cameras supplied by US technology company Axon to law enforcement agencies worldwide. According to the hacker, the MAC addresses of these devices are visible to scanning applications as Axon failed to randomise the code to make them harder to track. The issue cannot be fixed by a software update.

 

"I think it comes down to either incompetence or laziness … it just seems like the engineers who developed this were either ignorant or incompetent," the hacker told Four Corners. "You can track police devices … from quite a significant distance away. It’ll just give it a little alert … saying ’police detected’."

 

The vulnerability could potentially enable criminal entities to track the movements of law enforcement officials in real time from safe distances, giving them the opportunity to escape or set up an ambush to endanger the lives of police officers.

 

Bluetooth-scanning applications on Android application stores can also track models and serial numbers of tasers and body-worn cameras, enabling technologically proficient criminals to trace the movements of specific law enforcement personnel over a period of time. 

 

The hacker warned that vulnerability can be easily weaponised by malicious actors. "It could be used for ambushing the police, attacking them, escaping them … organised criminal gangs or whatever. Essentially, it can be weaponised," he said.

 

The hacker first raised the issue with Australian police forces in 2024, but received no response. "Your new AXON Tasers leave the entire force essentially wearing beacons that broadcast their location. The AXON brand Tasers need to be recalled and VicPol must demand that AXON implement Bluetooth MAC address randomisation for these devices. Im trying to make you realize the danger that frontline officers face due to this vulnerability," he told Victorian Police.

 

When contacted by Four Corners, Victorian Police said it was satisfied with the security of Bluetooth-enabled police devices as internal testing determined that the devices were safe from unauthorised access or tracking.

 

The publication independently verified that police officers could indeed be tracked using Bluetooth-scanning Android applications, but received similar or no responses from other provincial police forces or police employee unions.

 

Axon knows about the vulnerability and has warned law enforcement customers to make special "operational security considerations" when deploying Axon cameras in operations where things could go south. 

"Axon Cameras’ Bluetooth and Wi-Fi radio signals can be generally detected," the company says in its trust and security page, adding that placing devices in Stealth Mode will not eliminate the possibility of real-time tracking.

 

The hacker told Four Corners that a simple software update cannot fix the vulnerability in T7 and T10 models used by Australian police forces as the vulnerability is a hardware issue. "It has been engineered in a way that they can’t patch it or update the software. The whole system would have to be redesigned from scratch … so if they were forced to recall the devices, they’d be put in a horrible position," he added.