Digital threat in the form of a patrol camera: Luxembourg police servers may have been hacked

Luxembourg has found itself at the centre of an international cybersecurity scandal: as German expert Tim Philipp Schäfers has revealed, Luxembourg's special police unit Gato2 used the Media Relay System (MRS) video surveillance system developed by Israeli company Infodraw - and it proved to be dangerously vulnerable.

The problem was discovered almost by accident. By examining publicly available IP addresses, Schäfers found between 20 and 30 vulnerable Infodraw servers around the world, including one unambiguously belonging to Luxembourg. This server allowed connection without a password, opening the gateway to potentially sensitive data.

MRS vulnerabilities gave attackers a wide range of possibilities: accessing all audio and video recordings, connecting fake cameras, erasing or modifying recordings, and installing malicious firmware for long-term control of the system. It's not just about leaking data, it's about tampering with investigative materials, tampering with evidence, and covert surveillance.

After the publication of the story in the German publication Golem.de and an alert from the national cyber defence service GovCERT.lu, the suspicious server was immediately shut down. A police spokesperson confirmed the use of the system and assured that there were no signs of compromising personal or investigative data at this time.

However, a forensic audit was launched. The police emphasised that all solutions used are regularly "vulnerability tested" and the security of the systems is constantly being improved.

Infodraw, which supplies surveillance systems to Germany and Belgium, among others, has not yet responded to Schaeffers' allegations. Meanwhile, the vulnerabilities identified in their software concern not only Luxembourg but also international entities.