Turns out anyone with an internet connection, and not even a password, could access the feeds of a line of the Flock surveillance cameras that are currently all the rage with the SFPD and Oakland Police Department.
Below we see pictured what is likely one of those Flock Safety automated license plate reader cameras, one of the 400 of these new security cameras in SF that are are taking three million surveillance photos every day. To hear SFPD tell it, these Flock Safety cameras have been an absolute godsend for catching carjacking suspects and other criminals, and they’re supposedly a huge driver of SF's recent notable drop in crime rates.
The Oakland Police Department also loves their Flock Safety license plate reader cameras too, and the Oakland City Council just approved a $2 million contract renewal with Flock to keep using those cameras, albeit in a meeting that will probably be remembered for different reasons.
So there is certainly some utility to these Flock surveillance cameras. And as the Trump’s administration indulges in its spending spree on surveillance of US citizens for ICE and police state purposes, Flock Safety is a company positioned to do very well for themselves right now.
But the publication 404 Media just discovered an astonishing security flaw in a line of Flock Safety cameras. It turns out that anyone with an internet connection could hack into their security cameras, cameras whose feeds of public streets, playgrounds, and parking lots were not protected by any passwords. Literally any fool could get complete administrative access to these Flock Safety cameras with no credentials whatsoever.
This animated gif, where the pedestrian turns and waves at the camera, tells an incredibly chilling tale. Let’s let 404 Media author Jason Koebler explain.
“I am standing on the corner of Harris Road and Young Street outside of the Crossroads Business Park in Bakersfield, California, looking up at a Flock surveillance camera bolted high above a traffic signal,” Koebler writes. “On my phone, I am watching myself in real time as the camera records and livestreams me— without any password or login — to the open internet. I wander into the intersection, stare at the camera and wave. On the livestream, I can see myself clearly. Hundreds of miles away, my colleagues are remotely watching me too through the exposed feed.”
Granted, these are not the same model of automated license plate reader (ALPR) cameras that are being used in San Francisco and Oakland. This variety is called Condor Live cameras, and they capture not only the images of license plates, but they can even do facial recognition. But with these great powers come great responsibilities, responsibilities that Flock Safety may have tended to quite poorly.
404 Media’s investigation found that “at least 60 of its AI-enabled Condor cameras around the country [were] exposed to the open internet, where anyone could watch them, download 30 days worth of video archive, and change settings, see log files, and run diagnostics.”
And of course, these new cameras with the massive security flaws are “AI-driven.”
404 Media got their scoop from security researcher and YouTube-famous hacker Benn Jordan, who describes the starting degree of access he was able to get to Flock Safety systems, with no credentials whatsoever.
“Immediately, we were just without any username, without any password, we were just seeing everything from playgrounds to parking lots with people, Christmas shopping and unloading their stuff into cars,” Jordan told 404 Media. “I think it was like the first time that I actually got like immediately scared … I think the one that affected me most was the playground. You could see unattended kids, and that’s something I want people to know about so they can understand how dangerous this is.”
Again, these are not the same Flock Safety ALPR cameras being used in San Francisco and Oakland. These are cameras designed more to monitor human faces as opposed to vehicles’ license plate numbers. And Flock Safety insists this security flaw has since been eliminated.
"This was a limited misconfiguration on a very small number of devices, and it has since been remedied," a Flock spokesperson said to 404 Media in late December. The company did not detail how many cameras were among the “very small number of devices” affected by this shocking security flaw.
And indeed, this was not the exact same model of Flock Safety cameras being used in San Francisco and Oakland. But if even one of their models had a security flaw this profound, that certainly makes it fair to wonder the degree to which Flock Safety cameras on the market that not only share their data with Trump’s federal law enforcement apparatus, but also with any hacker who manages to infiltrate their cameras.
Image: Joe Kukura, SFist
