Data from Police Body Camera Apps Routed to Chinese Cloud Servers Over TLS Port 9091

The security and integrity of police body camera footage underpin the validity of evidence presented in court proceedings.

However, a recent investigation into a budget-friendly body camera system revealed that its companion mobile application—Viidure—transmits sensitive device identifiers and user data to cloud servers based in China over a nonstandard TLS port.

Such behavior raises pressing concerns around data privacy, chain-of-custody, and compliance with U.S. law enforcement policies.

Using Wireshark packet captures on an isolated network, the Viidure mobile application was observed establishing encrypted sessions to multiple domains.

The most noteworthy endpoint, app-api.lufengzhe.com:9091, resolved to IP address 115.175.147.124, which WHOIS records confirm belongs to HUAWEI INTERNATIONAL PTE. LTD. in China.

In addition, the app communicates over standard TLS port 443 to Baidu mapping services (api.map.baidu.com and loc.map.baidu.com), presumably for geolocation features.

The unexpected use of port 9091 for core API traffic suggests either custom server configurations or deliberate obfuscation of data flows.

Regardless, routing video-related metadata and device identifiers through Chinese-hosted servers creates potential exposure to foreign government surveillance and unauthorized access.

Man-in-the-Middle Analysis

TLS validation within the Viidure application, a man-in-the-middle (MitM) test was conducted using the open-source mitmrouter framework alongside mitmdump in upstream mode.

Iptables rules redirected both port 443 and port 9091 traffic through a local proxy chain terminating at Caido.

Despite presenting a forged certificate mimicking the Chinese cloud server, the mobile application failed to reject the connection, indicating inadequate server certificate verification.

Consequently, all HTTP message contents exchanged between the app and the cloud were exposed in plaintext within the proxy logs.

Among the most sensitive intercepted requests was a version check endpoint (/iot/api/v1/version/check), wherein the application transmitted the device’s International Mobile Equipment Identity (IMEI) and the operator’s email address.

The JSON payload included:

text
  "data": [
    
      "model": "6zhentan_android",
      "region": "other",
      "version": "v2.7.1.250712",
      "useType": 1,
      "imei": "17562212185897060"
    
  ],
  "language": "en_US",
  "appmodel": "6zhentan",
  "osmodel": "android",
  "country": "US",
  "username": "<redacted>"

Exfiltration of IMEI values not only undermines device anonymity but also enables tracking of individual officers and the sensitive video data they collect.

Moreover, the absence of robust certificate pinning or TLS validation permits adversaries to intercept or manipulate video-management commands.

Implications for Law Enforcement

Police departments nationwide increasingly rely on body camera ecosystems from third-party vendors.

When a vendor’s infrastructure resides in jurisdictions with divergent data-protection regulations, videotaped encounters become vulnerable to data-sovereignty violations.

The Viidure app’s communications to Chinese servers may contravene policies that mandate secure, localized storage of evidentiary material.

Further, any exploitation of the flawed TLS validation could allow unauthorized actors to inject malicious firmware updates or delete footage mid-transit.

Agencies should demand full transparency from body-camera manufacturers regarding data-flow diagrams, server locations, and cryptographic safeguards.

Procurement contracts must require that all cloud services reside within approved jurisdictions, employ TLS with certificate pinning, and undergo independent security audits.

In light of these findings, law enforcement professionals should:

Protect chain-of-custody by configuring network firewalls to block nonconsented outbound traffic.
Mandate vendors implement strict TLS server-certificate validation and pinning.
Audit mobile applications for data exfiltration patterns and confirm compliance with CJIS and other data-security standards.

The integrity of police body camera evidence depends not only on the device’s recording capabilities but also on the security of its data-management pipeline.

As this case demonstrates, low-cost solutions may introduce unacceptable risks, jeopardizing both privacy and prosecutorial efficacy. Continuous scrutiny of vendor implementations and adherence to stringent cybersecurity requirements remain essential to safeguard public trust.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.