What Happened After Security Researchers Found 60 Flock Cameras Livestreaming to the Internet

A couple months ago, YouTuber Benn Jordan "found vulnerabilities in some of Flock's license plate reader cameras," reports 404 Media's Jason Koebler. "He reached out to me to tell me he had learned that some of Flock's Condor cameras were left live-streaming to the open internet." This led to a remarkable article where Koebler confirmed the breach by visiting a Flock surveillance camera mounted on a California traffic signal. ("On my phone, I am watching myself in real time as the camera records and livestreams me - without any password or login - to the open internet... Hundreds of miles away, my colleagues are remotely watching me too through the exposed feed.")Flock left livestreams and administrator control panels for at least 60 of its AI-enabled Condor cameras around the country exposed to the open internet, where anyone could watch them, download 30 days worth of video archive, and change settings, see log files, and run diagnostics. Unlike many of Flock's cameras, which are designed to capture license plates as people drive by, Flock's Condor cameras are pan-tilt-zoom (PTZ) cameras designed to record and track people, not vehicles. Condor cameras can be set to automatically zoom in on people's faces... The exposure was initially discovered by YouTuber and technologist Benn Jordan and was shared with security researcher Jon "GainSec" Gaines, who recently found numerous vulnerabilities in several other models of Flock's automated license plate reader (ALPR) cameras. Jordan appeared this week as a guest on Koebler's own YouTube channel, while Jordan released a video of his own about the experience. titled "We Hacked Flock Safety Cameras in under 30 Seconds." (Thanks to Slashdot reader beadon for sharing the link.) But together Jordan and 404 Media also created another video three weeks ago titled "The Flock Camera Leak is Like Netflix for Stalkers" which includes footage he says was "completely accessible at the time Flock Safety was telling cities that the devices are secure after they're deployed." The video decries cities "too lazy to conduct their own security audit or research the efficacy versus risk," but also calls weak security "an industry-wide problem." Jordan explains in the video how he "very easily found the administration interfaces for dozens of Flock safety cameras..." - but also what happened next:None of the data or video footage was encrypted. There was no username or password required. These were all completely public-facing, for the world to see.... Making any modification to the cameras is illegal, so I didn't do this. But I had the ability to delete any of the video footage or evidence by simply pressing a button. I could see the paths where all of the evidence files were located on the file system... During and after the process ofconducting that research and making thatvideo, I was visited by the police andhad what I believed to be privateinvestigators outside my homephotographing me and my property andbothering my neighbors. John Gaines orGainSec, the brains behind most of thisresearch, lost employment within 48hours of the video being released. Andthe sad reality is that I don't viewthese things as consequences orpunishment for researching securityvulnerabilities. I view these asconsequences and punishment for doing itethically and transparently. I've beencontacted by people on or communicatingwith civic councils who found my videosconcerning, and they shared FlockSafety's response with me. The companyclaimed that the devices in my video didnot reflect the security standards ofthe ones being publicly deployed. TheCEO even posted on LinkedIn and boastedabout Flock Safety's security policies.So, I formally and publicly offered topersonally fund security research intoFlock Safety's deployed ecosystem. Butthe law prevents me from touching theirlive devices. So, all I needed was theirpermission so I wouldn't get arrested.And I was even willing to let themsupervise this research. I got noresponse. So instead, he read Flock's official response to a security/surveillance industry research group - while standing in front of one of their security cameras, streaming his reading to the public internet. "Might as well. It's my tax dollars that paid for it." " 'Flock is committed to continuously improving security...'"

Read more of this story at Slashdot.