flock camera awareness
Security Failures
They hold a record of everywhere you drive. Here is how well they guard it.
the thing about a database
Once your movements exist in a searchable record, "who can see it" stops being Flock's decision and starts being a security question.
You cannot consent to that risk, because you were never asked. You cannot opt out of it, because you cannot un-drive past a camera. All you can do is look at how the company handles the data - and then decide how much you trust it.
wide open
-
Dec 2025 - Jan 2026
Dozens of cameras streamed live to the open internet. No password. No encryption.
Technologist Benn Jordan and security researcher Jon "GainSec" Gaines independently found Flock Condor PTZ cameras reachable from any browser with no authentication at all. 404 Media confirmed at least 60. GainSec catalogued 67 live feeds and debug interfaces.
Anyone could watch real-time footage, download 30 days of archive, and in cases reach admin controls and change device settings. Among the visible streams: children on a playground. A 404 Media reporter stood in a street in California and watched himself on a feed his colleagues could open from hundreds of miles away.
Flock's response was that this was a limited misconfiguration on a small number of devices, since remedied - and that it was not a "hack" of their platform. Technically true. Also irrelevant to everyone who was on camera.
the hardware
-
51 findings · 22 CVEs
"Theoretical" vulnerabilities that were quietly filed with the national CVE database
GainSec's white paper on Flock's ecosystem documents 51 security findings, of which 22 were assigned CVE identifiers and more were pending. Benn Jordan's teardown of second-hand Flock hardware found exposed USB ports, unsecured storage, debug features left enabled, end-of-life Android builds no longer receiving security updates, exploitable wireless access, and remote code execution. Credentials were observed transmitting in clear text.
Flock characterised the findings as theoretical, requiring physical access and intimate knowledge - then filed the CVEs. Researchers subsequently reproduced the same results on cloud-connected units.
An end-of-life operating system doesn't stop being vulnerable. It stops getting fixed. And once tens of thousands of these are bolted to poles nationwide, patching stops being a software problem and becomes a logistics one.
the front door
-
Nov 2025
No multi-factor authentication. A stolen password is a key to the network.
Flock does not require MFA by default. That means one phished or reused officer credential opens access to a nationwide surveillance database - not one town's cameras, the network. Flock logins have turned up for sale on Russian cybercrime forums.
Lawmakers asked the FTC to investigate. In February 2026, Senator Ron Wyden and Rep. Raja Krishnamoorthi formally requested an inquiry, arguing the company had needlessly exposed Americans' sensitive personal data to hackers and foreign intelligence services.
-
Audit logs
Redaction failures exposed millions of plates and who was searching them
Multiple departments released Flock audit logs in response to public records requests without properly redacting them. The disclosed material covered more than 2.3 million license plates and tens of millions of queries - who was searched, when, where, by which officer, and the reason they typed. Suspects, victims, and people under no suspicion at all, in one spill.
This one wasn't Flock's error. That's the point: the system hands this data to thousands of agencies, and it only takes one to fumble it.
this is not new
-
Precedent
ALPR data has been leaking for years
In 2019, a breach at US Customs and Border Protection exposed license plate images and traveler photos collected at the border. In Boston, an investigation found the police department's ALPR data - including sensitive resident information - sitting exposed online.
Every one of these systems was also sold as secure, right up until it wasn't.