What Happened After Security Researchers Found 60 Flock Cameras Livestreaming to the Internet

A couple months ago, YouTuber Benn Jordan "found vulnerabilities in some of Flock's license plate reader cameras," reports 404 Media's Jason Koebler. "He reached out to me to tell me he had learned that some of Flock's Condor cameras were left live-streaming to the open internet."

This led to a remarkable article where Koebler confirmed the breach by visiting a Flock surveillance camera mounted on a California traffic signal. ("On my phone, I am watching myself in real time as the camera records and livestreams me — without any password or login — to the open internet... Hundreds of miles away, my colleagues are remotely watching me too through the exposed feed.") Flock left livestreams and administrator control panels for at least 60 of its AI-enabled Condor cameras around the country exposed to the open internet, where anyone could watch them, download 30 days worth of video archive, and change settings, see log files, and run diagnostics. Unlike many of Flock's cameras, which are designed to capture license plates as people drive by, Flock's Condor cameras are pan-tilt-zoom (PTZ) cameras designed to record and track people, not vehicles. Condor cameras can be set to automatically zoom in on people's faces... The exposure was initially discovered by YouTuber and technologist Benn Jordan and was shared with security researcher Jon "GainSec" Gaines, who recently found numerous vulnerabilities in several other models of Flock's automated license plate reader (ALPR) cameras.
Jordan appeared this week as a guest on Koebler's own YouTube channel, while Jordan released a video of his own about the experience. titled "We Hacked Flock Safety Cameras in under 30 Seconds." (Thanks to Slashdot reader beadon for sharing the link.) But together Jordan and 404 Media also created another video three weeks ago titled "The Flock Camera Leak is Like Netflix for Stalkers" which includes footage he says was "completely accessible at the time Flock Safety was telling cities that the devices are secure after they're deployed."

The video decries cities "too lazy to conduct their own security audit or research the efficacy versus risk," but also calls weak security "an industry-wide problem." Jordan explains in the video how he "very easily found the administration interfaces for dozens of Flock safety cameras..." — but also what happened next: None of the data or video footage was encrypted. There was no username or password required. These were all completely public-facing, for the world to see.... Making any modification to the cameras is illegal, so I didn't do this. But I had the ability to delete any of the video footage or evidence by simply pressing a button. I could see the paths where all of the evidence files were located on the file system...

During and after the process of conducting that research and making that video, I was visited by the police and had what I believed to be private investigators outside my home photographing me and my property and bothering my neighbors. John Gaines or GainSec, the brains behind most of this research, lost employment within 48 hours of the video being released. And the sad reality is that I don't view these things as consequences or punishment for researching security vulnerabilities. I view these as consequences and punishment for doing it ethically and transparently.

I've been contacted by people on or communicating with civic councils who found my videos concerning, and they shared Flock Safety's response with me. The company claimed that the devices in my video did not reflect the security standards of the ones being publicly deployed. The CEO even posted on LinkedIn and boasted about Flock Safety's security policies. So, I formally and publicly offered to personally fund security research into Flock Safety's deployed ecosystem. But the law prevents me from touching their live devices. So, all I needed was their permission so I wouldn't get arrested. And I was even willing to let them supervise this research.

I got no response.
So instead, he read Flock's official response to a security/surveillance industry research group — while standing in front of one of their security cameras, streaming his reading to the public internet.

"Might as well. It's my tax dollars that paid for it."

" 'Flock is committed to continuously improving security...'"

work with a city

[Registered Coward v2]

Get a city to demand Flock let them do a security check with their own reserach and make the results public. If tehy are secure, I'm sure Flock will say OK, no problem...

Re:So?

[gardyloo]

Maybe you didn't mean to react to the security researcher's quotes, but too bad. It was there, in the public posting space. So I'm going to drop part of it here:

"I had the ability to delete any of the video footage or evidence by simply pressing a button. I could see the paths where all of the evidence files were located on the file system..."

That's part of the "so what?".

Re:

[PPH]

I had the ability to delete any of the video footage or evidence by simply pressing a button.

Please don't change any of this, Flock. You have already created reasonable doubt that any criminal with more than a room temperature IQ defense attorney can use for acquittal. Even fixing this _now_ will require documented security measures plus ongoing compliance testing. Or Flock evidence will never be worth a fluck.

Re:

[Anonymous Coward]

"I had the ability to delete any of the video footage or evidence by simply pressing a button. I could see the paths where all of the evidence files were located on the file system"

This does not make it more than a nothingburger.

Re:

[dgatwood]

"I had the ability to delete any of the video footage or evidence by simply pressing a button. I could see the paths where all of the evidence files were located on the file system"

This does not make it more than a nothingburger.

If you have write access to the filesystem, you can probably create "evidence" or tamper with evidence as well. That's a very big deal. I kind of think if you're going to hack them anyway, the best way to make the point would be to get the license plates of every city official and police car and falsely flag them all for 65 in a 35 zone every time they drive by. Watch as they get taken down the next day to correct "technical problems" and magically never get put back up.

Re:

[jacks smirking reven]

These cameras are being used by law enforcement is the problem, IE, they are being used to track your movements and report to the police so their security procedures matter. This isn't a wildlife cam or a retail store with some cameras pointed outside.

Re:

[jacks smirking reven]

Is that it? That's your argument for why Flock has lax security, they should be allowed? Do you even understand the criticism here or are you just a crime slopper?

I mean Flock also lead to this situation so you know, it's not all good!

Officer who used Flock cameras to falsely accuse Denver woman of theft will face unspecified disciplinary action [coloradosun.com]

Watch the video and look just *how sure* he is only to have gotten it completely wrong.

On the other hand maybe your straw-man argument should actually be my positio

Re:

[johnnys]

It's a shame you don't understand police work. Evidence is actually needed: Public video is very valuable, as is citizen-posted cell phone video and reports, provided they are not "edited" for malicious purpose.

Look at what happened in Minnesota: Lots of video of the murder of the woman in the SUV has been very helpful in keeping that horror from being swept under the rug. (Note: I don't consider ICE as "police": They are racist and untrained brownshirts.)

And your Denver situation is far more a straw man ar

Re:

[jacks smirking reven]

You're arguing against phantoms.

Do you understand the criticism. Nowhere did I make the argument "Police shouldn't use cameras" but the people running those cameras since it is used to literally prosecute people should be sure and follow the laws. Do you not agree to that?

If the video in Minnesota was captured by Flock cameras (was any of it?) and police or civilians were able to break in and delete or replace those videos is that good for anyone?

Do you understand or just want to make up positions to argue

Re:

[Pitawg]

It is a shame you do not understand police work. The only evidence is You being added to the suspect-to-annoy list for every crime Flock records you face, car, or relative nearby within a range of time near each crime near a camera.

Being a suspect used to mean something. Now it means you were within a mile of something.

Evidence is not what you think it is. (Nor them for that matter.)

Re:

[Bahbus]

Evidence is actually needed: Public video is very valuable

Sure, but public video with ALPR that *anyone* can access and *anyone* can view/modify/delete the contents is not needed. And it doesn't bode well for the security on the rest of them.

Look at what happened in Minnesota

Sure, but those, ultimately, are videos being taken by regular people. The police/city government doesn't own those. Flock cameras are only owned by police/city and the police will lie if, and whenever, able. ICE can access Flock (and Ring) cameras.

And your Denver situation is far more a straw man argument (Or "argue by exception") than mine.

It's not. Cop uses exact same technology to be bad. Researcher claims security

Re:

[Bert64]

Being able to modify then renders any evidence from them worthless.
But being able to *view* them is a good thing, otherwise the cameras can be used against you while you can't easily use them to prove your innocence. There's an argument that cameras in public places should be viewable by all.

Re:

[Bahbus]

You should be able to - if and when they are used against you. The general public does not need live, real-time access to any public video feeds, especially those with ALPR. If there are enough public video livestreaming, stalking and other related activities become trivial.

Plus, if these cameras weren't secured, it makes you wonder what else isn't secured.

Re:

[Kernel Kurtz]

It's a shame you don't understand police work. Evidence is actually needed: Public video is very valuable, as is citizen-posted cell phone video and reports, provided they are not "edited" for malicious purpose.

Indeed. Unlike these cameras which are apparently publicly and anonymously editable.

Re:

[Calydor]

They're also Pan, Tilt, Zoom cameras. If you have full access to their settings it'd be easy to turn the camera into a private area.

Re:

[Bert64]

Only if the camera is located somewhere that it has visibility of a private area when oriented correctly.
What's also alarming is that you could point the camera somewhere useless like up against a wall or at the sky so that it can't do its job.

Re:

[Calydor]

It could be in a position where there are private areas right up against public areas, and be programmed to just not pan into the private areas. But with access to the settings, well, that's not gonna do much.

Re:

[ArmoredDragon]

It varies by state, but usually the only "private area" is filming inside of somebody's bathroom or bedroom through a window -- basically, places where they'd likely undress. But areas they wouldn't, like a kitchen or a living room are fair game, even if they do occasionally walk butt naked in them. Everything else, including e.g. backyards, other areas inside of houses, are legal for just anybody to record. Found this out after a bitchy neighbor was recording directly into my backyard with one of those pie

Re:

[sirbreyer]

I think the point isn't as much the product (which I am sure supports authentication and encryption) but the reaction. OK, some partner installed it in the laziest way possible and said 'pay me'. The reaction is a common one nowadays - deny or even retaliate. Not even going into the lack of verification during/after handoff.

Live streaming toilet cam?

[klipclop]

That's what I was expecting. He found some misconfigured cameras streaming people's personal spaces to the Internet.. Instead he discovered weather and traffic cameras in public spaces live streaming to the Internet? There are a lot of government websites that purposely do this. Causing lots of drama over a small mistake is a very unprofessional thing to do if you want to be taken seriously as a "reporter"

Re:

[Chungus]

I can tell you have a good heart, and good intentions. Now pretend you're a serial killer with nefarious intentions.

"We hacked... in under 30 seconds"?

[93 Escort Wagon]

I realize that language is fluid, and the meaning of words can change based on popular usage. But using "hacked" to mean "we visited a web portal that was left open to the internet"? Come on...

I guess slashdot.org gets hacked millions of times a year! And my department's website gets hacked hundreds of times a day!

Re:

[s0nicfreak]

People have been arguing about this since Kevin Mitnick was arrested.

In my book, hacked means (and always has meant) "gained unauthorized access to a computer network or system". There is not some bar of difficulty that must be reached to fit the definition. Kind of like how unlawful entry is still unlawful entry if someone leaves a door unlocked. (So I'm really annoyed by the terms "white hat hacking" and "ethical hacking".)

How do you define hacked?

Re:

[93 Escort Wagon]

How do you define hacked?

To me, "hacking" means at least a small amount of directed effort was required to gain access to a device - something at least marginally more than "I typed in the URL" or "I clicked on a link". To me, the legality of said access is a different issue.

Re:

[s0nicfreak]

That makes sense. But I don't think it's fair to expect anyone else to know your effort bar and use that to define the word.

We need an award

[david.emery]

"Best response to a security vulnerability"

So instead, he read Flock's official response to a security/surveillance industry research group — while standing in front of one of their security cameras, streaming his reading to the public internet.

"Might as well. It's my tax dollars that paid for it."

" 'Flock is committed to continuously improving security...'"

Nothing

[rsilvergun]

Nothing happened. The people who are better than you, you're betters, want this and you are too busy freaking out about whatever they're telling you to freak out about this week that has no bearing on your civil rights or the economy to do anything about it.

And if by some miracle you've realized this is a bad idea and you're looking for a way to stop it your Fox News loving Grandpa is going to fuck shit up at the elections.

What amazes me is that this is all happening out in the open right where we can see it and we can't do anything about it because about 46% of the country is too stupid to understand why this is bad or too busy freaking out about violent video games or trans girls in sports or Satan possessing children or whatever the hell it is TV is telling them to freak out about and then all you have to do is stop about 5% of the rest of the country from voting using common voting suppression tactics...

I don't think our species has a future but I would love to be proven wrong

Re:

[PPH]

stop using "us" and "we" in your posts

Maybe rsilvergun has a mouse in his pocket.

Find Your Nearest Camera

[SlashbotAgent]

Find your nearest cameras on Deflock's map [deflock.me].

It's actually pretty jarring to see how many installed cameras there are.

The absurdity of statements from Flock's CEO, PR, and legal departments are pretty disturbing as well.

I'd noticed them around my town recently. But, I hadn't given them much thought. But, after watching Jordan's video and seeing the map... Yikes! Panopticon in 4, 3, 2...

Re:

[mrbester]

Seems like there need to be some "Blade Runners" taking these cameras down.
To those who say there is no expectation of privacy, there is also no expectation of blanket covert surveillance.
"Oh, but it isn't covert. You can clearly see the cameras" They are supposed to be monitoring t vehicles. Who do you approach to FOIA the footage taken of you?

More interesting, or disturbing ...

[fahrbot-bot]

What Happened After Security Researchers Found 60 Flock Cameras Livestreaming to the Internet

They were filming in a "V" pattern and heading South for the winter.

Re:

[echo123]

What Happened After Security Researchers Found 60 Flock Cameras Livestreaming to the Internet

They were filming in a "V" pattern and heading South for the winter.

ATTN: News for Nerds: Birds are not real.

https://www.youtube.com/watch?... [youtube.com]

https://en.wikipedia.org/wiki/... [wikipedia.org]

https://hub.jhu.edu/2024/02/07... [jhu.edu]

http://archive.today/Rb32y [archive.today]

Avoidence makes me happy.

[Pitawg]

Every time I am not caught on a camera, while not committing a crime, is another happy moment realizing my own or my loved ones' pets will not be shot at home by a panicky LEO asking if I saw anything through a wall, or jumped out of my car walked climbed over the wall and committed the carjacking, I was reportedly near within the hour time span I was stuck in traffic, between times I was recorded between multiple cameras.

A feature not a bug.

[Smonster]

Are they publicly accessible to watch only or can those who access change settings. Because if it’s only the former, good. Public cameras should be just that. Public. They are pard for with tax dollars. If the government can access them, the rest of the public should be able to as well. Everyone or no one. There are public traffic cameras you can view all over the state of Utah. Many are on mountain passes which are great to see the weather; as well as highway on ramps and major intersections which a

Re: A feature not a bug.

[JOstrow]

But - the whole world? Or just people in the USA? Or just people in the municipality who operates it?

VDOT live streams traffic already

[chas.williams]

This includes intersections where pedestrians can be seen. It's not clear how this is any different.

all these cameras should live stream

[groobly]

If the claim is that the government is entitled to watch you because you should have no expectation of privacy in a public place, then anyone should be able to do the same. That way, the govt can't just pick and choose what it makes public, typically cherry-picking to support a false narrative.

No one cares about security (*)

[Murdoch5]

* Some people do, and take it very seriously, but most people don't.

Have you ever sat in any IT review? How often do you hear people wax poetic about their deep and intense love for security, only for it to be complete BS?

I was doing a demo to a large corporation, whom I won't name, and they asked why our TLS standard is 1.3+, and why we disabled all but three cipher suites. Why? Why do you need anything less secure than: “TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384”? That's pretty reason

The Flashbulb

[JThundley]

I think it's so weird to read Benn Jordan described as a Youtuber and technologist. I primarily know him as a musician and composer, look at this motherfucker's discography! https://www.discogs.com/artist... [discogs.com]