The livestreams connected to more than 60 of Flock’s AI-powered surveillance cameras were left available to view on the web, allowing someone to see live feeds of each location without needing a username or password, according to findings from tech YouTuber Benn Jordan and 404 Media.
Flock is a technology company that works with thousands of law enforcement agencies and businesses to deploy a network of AI-powered cameras across the country. It also recently partnered with Ring, giving Flock customers the ability to request footage from users in Ring’s Neighbors app. As noted by 404 Media, many of Flock’s cameras are made to scan a vehicle’s license plates. However, the feeds exposed to the internet connect to Flock’s Condor cameras, which can pan, tilt, and zoom to automatically track people and vehicles.
“I watched a man leave his house in the morning in New York,” Jordan says in his video. “I watched a woman jogging alone on a forest trail in Georgia. This trail had multiple cameras, and I could watch a man rollerblade and then take a break to watch rollerblading videos on his phone. How? Because the camera’s AI automatically zoomed in on it — just like it zoomed in on a couple arguing at a street market in Atlanta.”
Jordan worked with Jon “GainSec” Gaines — who previously uncovered security flaws within Flock’s system — to find the live feeds on Shodan, a search engine containing a database of devices connected to the internet.
As reported by 404 Media, the two located dozens of Flock live feeds and administrator control panels, where they could not only view the streams but also freely download video archives from the last 30 days, change settings, delete footage, view log files, and run diagnostics, as reported by 404 Media and Jordan. Anyone with links to the stream could access them, no credentials required, according to 404 Media.
In some cases, Jordan and 404 Media’s Jason Koebler visited the locations of the Flock cameras, where they were filmed and displayed on the openly accessible livestreams.
“This was a limited misconfiguration on a very small number of devices, and it has since been remedied,” a Flock spokesperson said in a statement to 404 Media. Flock didn’t immediately respond to The Verge’s request for comment.
