Critical Security Vulnerabilities Exposed in Flock Safety Surveillance Cameras: A Comprehensive Analysis of the 2025 Research Findings
The automated license plate reader industry faces unprecedented scrutiny following revelations that Flock Safety cameras can be compromised in under 30 seconds through a simple button sequence on the device’s back panel Privacy Guides. This discovery, part of extensive independent security research published in November 2025, has prompted federal lawmakers to call for investigations and raised fundamental questions about surveillance technology deployed across thousands of American communities. The vulnerabilities documented by cybersecurity researcher Jon Gaines represent far more than theoretical weaknesses—they constitute systemic security failures in devices trusted with tracking millions of vehicles daily. With over 100,000 Flock cameras installed across the United States, representing approximately one camera for every 4,000 citizens Malwarebytes, the implications of these security flaws extend to national security, individual privacy, and the integrity of criminal evidence collected through these systems. The research findings have sparked intense debate about the balance between public safety technology and cybersecurity best practices, particularly as municipalities continue investing taxpayer dollars in surveillance infrastructure that may be fundamentally compromised.
The formal white paper published by Jon Gaines documents 51 distinct security findings, including 22 with assigned Common Vulnerabilities and Exposures (CVE) identifiers and an additional 8 pending CVE assignment GitHub. These vulnerabilities span multiple categories including authentication weaknesses, cryptographic failures, and fundamental system design flaws that would allow malicious actors to manipulate footage, steal credentials, or repurpose the devices for unauthorized surveillance. The research represents months of independent analysis conducted on hardware purchased through secondary markets, demonstrating that the security issues are not merely academic exercises but represent real-world exploitable conditions. Flock Safety, which began requiring multi-factor authentication by default for all new users only in November 2024 9news, has acknowledged the vulnerabilities while maintaining that none impact customers’ ability to carry out public safety objectives. However, the revelation that police login credentials have been discovered for sale on dark web marketplaces suggests the threat landscape extends beyond physical device manipulation to include remote access exploitation through compromised authentication systems.
Want a free Oklahoma CS lesson?
The primary vulnerability that captured widespread attention involves the Android-based operating system running on Flock’s camera units. By pressing a button on the back of the camera in a specific sequence, an attacker can create a wireless access point, connect to it, enable Android Debug Bridge (ADB), and obtain complete control over the device Privacy Guides. This process requires minimal technical sophistication and no specialized tools beyond a standard computing device capable of WiFi connectivity. Gaines described the compromise timeline as approximately 30 seconds with a stick, referring to the physical tool needed to press the recessed button on the camera housing 9news. Once root access is obtained, an attacker can install malicious software, modify stored footage, extract sensitive data, or convert the surveillance device into a platform for launching additional attacks. The cameras also feature exposed USB ports that accept input from devices like USB Rubber Ducky attack tools, which can mimic keyboard input to execute arbitrary commands. These physical access vectors represent fundamental design choices that prioritize operational convenience over security hardening, leaving devices vulnerable to tampering by anyone with brief unsupervised access to the hardware.
The cryptographic and network security deficiencies compound the physical access vulnerabilities. The cameras store hard-coded WiFi network names that they will automatically connect to when LTE signals are unavailable, and they transmit cleartext credentials Privacy Guides, creating opportunities for man-in-the-middle attacks. An attacker need only create a wireless access point matching one of these hard-coded network names to intercept traffic and credentials from nearby Flock cameras. The devices run on Android Things 8 or 8.1, an operating system discontinued in 2021 with hundreds of known vulnerabilities that will never receive security patches Radar Detector & Countermeasure Forum. This represents a conscious decision to deploy hardware running obsolete software with documented security holes, creating a permanent attack surface that cannot be remediated through software updates alone. The use of IMSI catchers—devices that mimic cellular towers to intercept mobile device communications—provides another vector for compromising the cameras’ LTE connections. These network-level vulnerabilities enable remote attacks that do not require physical proximity to the devices, exponentially expanding the potential threat landscape and the number of actors capable of exploitation.
The authentication and access control failures extend beyond the camera hardware to the web-based systems used by law enforcement agencies. Flock Safety does not mandate multi-factor authentication for its law enforcement customers, and approximately 3% of customers—potentially dozens of agencies—have declined to enable this security feature TechCrunch. This means that stolen or compromised passwords alone grant complete access to sensitive surveillance data, including the ability to search billions of license plate records and associated location information. Jordan identified Flock police login credentials for sale on dark web marketplaces, though he did not purchase them for legal reasons, demonstrating that credential theft is not merely theoretical but actively occurring 9news. The consequences of compromised law enforcement access include potential stalking, unauthorized surveillance, evidence tampering, and the exposure of sensitive investigative information to criminal organizations or foreign intelligence services. The absence of mandatory multi-factor authentication on systems containing such sensitive data represents a security posture more appropriate for low-risk consumer applications than for law enforcement tools.
The data retention and encryption practices revealed through the security research contradict Flock Safety’s public statements about privacy protections. Images were stored unencrypted on the devices regardless of whether a license plate was detected, and researchers found images dating back to factory testing, suggesting that data retention extends far beyond the advertised 7-day period Privacy Guides. The discovery of unencrypted images means that anyone gaining access to a camera—whether through the button sequence exploit, USB access, or network compromise—can extract all stored surveillance footage without any additional decryption steps. Furthermore, the presence of images showing people and objects beyond vehicles challenges Flock’s marketing claims that the cameras focus exclusively on license plates. The researchers documented that the cameras capture and store wide-angle footage that includes pedestrians, building details, and other elements that constitute general surveillance rather than targeted vehicle tracking. These findings raise questions about informed consent, as communities purchasing these systems under the understanding they would only capture license plate data are receiving general-purpose surveillance cameras with significantly broader monitoring capabilities.
The response from Flock Safety and government entities has been mixed. Flock stated that exploitation of the documented vulnerabilities would require both physical access to devices and intimate knowledge of internal device hardware, and that no customer action is required in response to the disclosure Flock Safety. However, this response downplays the research findings that demonstrate physical access requirements are minimal—a few seconds with a stick—and that the technical knowledge needed is well within reach of motivated attackers. In November 2025, Senator Ron Wyden and Representative Raja Krishnamoorthi called on the Federal Trade Commission to investigate Flock Safety for allegedly failing to implement cybersecurity protections TechCrunch, citing national security risks posed by the authentication failures and credential theft. The congressional letter represents formal recognition that the security failures extend beyond privacy concerns to potential exploitation by foreign intelligence services, organized crime, or domestic extremist groups seeking to track law enforcement movements or manipulate evidence. Several municipalities have begun reassessing their Flock Safety contracts in light of the research, with some city councils voting against contract renewals despite executive branch support for continued deployment.
The broader implications for surveillance technology regulation emerge from this case study. The Flock Safety vulnerabilities demonstrate that private companies deploying government-contracted surveillance systems may prioritize market expansion over security best practices, creating systemic risks that individual municipalities lack the technical capacity to evaluate. The research has sparked discussions about requiring independent security audits for any surveillance technology purchased with taxpayer funds, establishing minimum security standards for systems that collect sensitive data, and creating liability frameworks that hold vendors accountable for security failures. The ease of hacking and video alteration ought to severely dampen the use of these cameras, particularly regarding their admissibility as evidence in criminal proceedings Naked Capitalism. Defense attorneys can now argue that Flock footage lacks chain of custody integrity because the systems recording it are trivially compromised, potentially creating a “fruit of the poisonous tree” scenario where evidence derived from these systems becomes inadmissible. The intersection of cybersecurity vulnerabilities and criminal justice proceedings represents uncharted legal territory that courts will need to address as more defendants challenge the reliability of automated surveillance evidence.
The research methodology employed by Jon Gaines followed responsible disclosure principles while maximizing public awareness. Gaines notified Flock Safety of findings earlier in 2025, and the company registered vulnerabilities with the National Vulnerability Database through MITRE GitHub. The formal white paper released in November 2025 redacted specific exploitation details to prevent widespread abuse while providing sufficient information for security professionals to understand the vulnerabilities and for organizations to make informed decisions about their surveillance infrastructure. The research was amplified through collaborations with content creators like Benn Jordan, whose YouTube video documenting the vulnerabilities garnered hundreds of thousands of views and brought technical security issues to mainstream public attention. This multi-channel approach to disclosure—combining formal CVE submissions, white paper publication, and accessible public communication—represents an effective model for responsible vulnerability disclosure that balances researcher ethics, vendor remediation timelines, and public right to know about security risks in taxpayer-funded infrastructure.
The technical details of specific vulnerabilities provide insight into the depth of security failures. One documented vulnerability involves the lack of secure boot and flash encryption configuration in the devices’ firmware, allowing physical attackers to modify core system code without cryptographic authentication. Another finding concerns the use of cleartext storage for sensitive configuration data, meaning credentials and settings are accessible to anyone who gains filesystem access through any of the multiple exploitation paths. The research also identified issues with the devices’ update mechanisms, where insufficient validation of firmware updates could allow malicious actors to deploy compromised firmware that would then be authenticated and installed by the devices. These findings collectively paint a picture of security measures that were either never implemented or were disabled for operational convenience, resulting in surveillance devices that function more like hobbyist development boards than hardened field-deployed sensors handling sensitive government data.
The efficacy claims made by Flock Safety regarding crime reduction have also come under scrutiny alongside the security revelations. Critics argue that the source for crime reduction claims is research created by Flock Safety employees, and that many studies cited by the company use misleading or outdated data while national crime rates have been dropping regardless of surveillance technology deployment Radar Detector & Countermeasure Forum. This challenges the fundamental cost-benefit analysis that municipalities conduct when deciding whether to purchase these systems. If the security vulnerabilities are significant enough to enable evidence tampering, criminal misuse, or foreign intelligence exploitation, and if the crime reduction benefits are less substantial than marketed, then the public safety argument for widespread deployment collapses. Communities are left subsidizing a surveillance infrastructure that may make them less secure through the creation of new attack surfaces and vulnerability to manipulation. The combination of overstated benefits and understated security risks represents a pattern seen across the surveillance technology industry, where vendor claims often exceed independently verified performance and where security is treated as an afterthought rather than a foundational requirement.
The path forward requires coordinated action from multiple stakeholders. Lawmakers must establish mandatory security standards for surveillance technologies purchased with public funds, including requirements for independent security audits, responsible disclosure policies, and minimum authentication protections. Municipalities need to develop technical capacity to evaluate vendor security claims and to conduct ongoing monitoring of deployed systems for signs of compromise. Vendors like Flock Safety must fundamentally reevaluate their security posture, implementing defense-in-depth strategies that assume physical access will occur and designing systems that remain secure even after partial compromise. The cybersecurity research community should continue independent analysis of surveillance technologies, with funding support for researchers who identify vulnerabilities in systems of public interest. Civil society organizations must advocate for transparency requirements that allow communities to understand the full capabilities and limitations of surveillance systems before they are deployed. Finally, the judicial system needs to grapple with the evidentiary implications of compromised surveillance systems, developing standards for establishing chain of custody and data integrity in the context of devices with known security vulnerabilities.
Reference:
