AI Surveillance: Unmasking Flock Safety’s Insecurities

The Security Ledger episode spotlights Flock Safety’s rapid expansion across American neighborhoods, with roughly 4,000 communities hosting its black‑box cameras. Positioned on solar‑powered poles, these devices blend into streets while silently scanning every passing vehicle. Their core promise—one‑click case resolution for law enforcement—relies on AI‑driven license‑plate recognition (LPR) and additional visual cues such as broken taillights or bumper stickers. By embedding this surveillance into homeowners’ associations and municipal contracts, Flock creates a pervasive data‑collection layer that extends far beyond traditional traffic monitoring, raising immediate questions about consent and public oversight.

Both Ben Jordan and John Gaines independently acquired second‑hand Flock units and uncovered a cascade of security flaws. The cameras run an obsolete Android Things operating system, long past end‑of‑life, meaning no patches are issued. A hard‑coded hotspot password appears on multiple models, and the exposed ‘Collins’ API lacks any authentication, allowing attackers to enable ADB over TCP and execute system commands. Moreover, a simple press of the power button opens an administrative web interface, granting root‑level shell access. Additional issues include enabled debugging, insecure DSP chips in gun‑shot detectors, and a reverse‑proxy that can tunnel traffic over LTE.

The technical weaknesses translate into real‑world privacy threats. Unrestricted access to license‑plate reads, vehicle damage assessments, and inferred personal interests can be merged with open‑source intelligence to build detailed profiles of individuals. Malicious actors—ranging from opportunistic hackers to state‑backed surveillance programs—could exploit wireless hotspots or physical proximity to hijack cameras, replay feeds, or exfiltrate data without ever touching the hardware. For municipalities and private operators, the episode underscores the need for secure firmware updates, unique credentials, network segmentation, and transparent data‑use policies. Until Flock adopts a security‑by‑design approach, its AI‑powered surveillance remains a high‑risk vector for both civil liberties and cyber‑crime.