Flock Cameras: A Security Nightmare on Every Street Corner

bloggingtechsecurityprivacypolitics

Today’s post is political, but I promise it’s not red nor blue. I will rarely talk politics, but this… it’s just too much. Everyone in the U.S. needs to know.

It’s a shocking YouTube expose from an infosec guy named Benn Jordan:

Cliff’s Notes

Flock Cameras (you know, those little street cams on light poles?) - YIKES!

  • They locally cache compromising public data on LEO and citizen traffic patterns
  • They don’t implement 2FA
  • They don’t encrypt local metadata
  • They don’t encrypt live frame buffers (holy SH…!)
  • They have a button that activates a local unencrypted hotspot
  • They have several no-firewall rubber ducky ports with no physical locks
  • They’re running a 5-year deprecated version of Android OS
  • It’s deprecated because of several security patches
  • They left open a germane attack vector to access root
  • Anyone who tries to audit this insanity gets visited by local LEO

So basically, they looked at an infosec checklist and lit it on fire rather than check-marking anything. And then, since any implication of impropriety is egg on not-just-the-company’s face but on govt faces too… expect cover-ups.

Dude. Like, what? How? How even possible?

  1. How do several hundred police departments have ZERO software people capable of spotting ANY of this?

  2. How do the Feds let 80,000 of these cameras proliferate on American streets when every register of their memory is infused with such dangerous incompetence?

  3. Even if their security WERE buttoned up, how did the egregious rights violations made obvious by utter lack of security not reach the Supreme Court years ago? Oh, I guess 1 and 2 answer that.

  4. Can they please fix at least some of this before foreign intelligence bureaus back-door every American street cam? Probably too late.

What Needs to Happen

They need to take those cameras down TODAY and make laws preventing deployment of future hardware that doesn’t at the very least do two things:

  1. Check ALL the security boxes that are missing above.
  2. Guarantee the collected data is stored on secure servers that no one (not even LEO or Feds) can access without a warrant.

I am not anti-LEO. I WANT detectives to have access to footage of hardened criminals… WITH A WARRANT. But if service providers don’t have their security house in order, they need to be fired.

I don’t do team politics. There’s WAY too much of that on the web. But there is rarely an issue so bipartisan. This is a blatant betrayal of basic public safety and the promise to uphold the 1st & 4th Amendments.

Wow. Just… wow.

AJ Campbell,

Tech Lead/Senior XR Programmer Guy

GitHub: https://github.com/ajcampbell1333

Portfolio: https://ajcampbell.info