Security researcher Jon “Gainsec” Gaines and YouTuber Benn Jordan discuss their examination of Flock Safety’s AI-powered license plate readers and how cost-driven design choices, outdated software, and weak security controls expose them to abuse.

The post AI Surveillance: Unmasking Flock Safety’s Insecurities appeared first on The Security Ledger with Paul F. Roberts.

AI Surveillance: Unmasking Flock Safety’s Insecurities

The Security Ledger – Paul F. Roberts

December 2025

In this episode of the podcast, we welcome independent security researcher Jon Gaines (“Gainsec”) along with musician, acoustic scientist and YouTuber Benn Jordan to talk about their deep‑dive into AI‑powered surveillance technology from Flock Safety, whose license‑plate readers and gunshot‑detection systems are now deployed in thousands of U.S. communities. Benn and Jon explain how Flock’s cost‑driven design choices, outdated software, and weak security controls expose widely deployed “public safety” infrastructure like license‑plate readers to abuse – as well as the broader societal and privacy implications of embedding opaque, networked surveillance cameras into everyday civic life—often without meaningful oversight or accountability.

[Video Podcast] | [Download] | [Transcript & Podcast Links]

---

Back in 2020, I sat down in the Security Ledger studio with Garret Langley about how questions about the rate of unsolved crimes in his community in Georgia led him to found Flock Safety, a start‑up in the surveillance market that sells inexpensive Automated License Plate Reader (ALPR) cameras to law enforcement, homeowners’ associations and individuals. Five years ago, Garrett talked about how the core concept behind Flock was utilizing powerful – but inexpensive consumer technology to create affordable ALPR cameras in a market that was dominated by costly, legacy devices. Garrett and I also talked about the challenges that Flock faces as it navigated the “gray zone” of public safety, civil liberties and privacy that its technology inhabits.

The Dark Side Of License Plate Readers

Even then, however, there was a bigger story lurking just under the covers. In our original podcast with Flock, we heard from Dave Maass, a senior investigative researcher at the Electronic Frontier Foundation (EFF), who talked about the growth of consumer surveillance gear like Flock and the Ring smart doorbell and how those consumer technologies were raising serious privacy and civil‑liberties concerns for U.S. citizens, who increasingly are inhabiting a world saturated with private and publicly owned surveillance technology.

And five years later? There’s no surprise that the trends we talked about back in 2020 have only become more pronounced. Flock’s automated license‑plate readers (ALPRs) are a big hit with communities interested in automated traffic enforcement and are now deployed in more than 4,000 U.S. communities. That has certainly helped realize Garrett’s original dream of affordable, ubiquitous technology helping law enforcement keep the roads safe…and solve crimes. Dig into recent articles about law enforcement tracking the Brown University shooter to a storage container he rented in New Hampshire, and you find Flock’s ALPR technology. But then there are the stories like this one by 404 Media, about how Texas law enforcement utilized a network of more than 80,000 Flock cameras across multiple states to track the movements of a Texas woman seeking an abortion.

The De‑Flock Movement Takes Wing

Today, in 2025, Flock is booming – expanding from its ALPR and gunshot‑detection technology to drones for law enforcement. But it is also facing growing questions and pushback about how its surveillance technology is being used to breach the civil rights of both citizens and residents. Questions about how Flock cameras in Denver, Colorado were being used by ICE to inform raids led the Denver City Council to vote to cancel the city’s contract with Flock (a decision Denver’s mayor ignored). Residents in Huntsville, Alabama have also been organizing to remove the company’s cameras from their community.

The website Deflock has become a rallying point for Flock‑related pushback…and offers an interactive map of Flock deployments globally that you can use to see where the nearest Flock cameras are to you.

Flock markets itself publicly as a “license plate reader” company. But that label is misleading. The systems capture far more than plates, combining high‑resolution imagery with cloud‑based analytics and AI‑driven correlation. When selling to residents, the pitch is minimal data collection. When selling to law enforcement, the message shifts: faster investigations, one‑click case resolution, and powerful intelligence drawn from pooled data.

Move Fast And Make Breakable Things

That gap between marketing narratives matters, because the underlying devices appear to be built with speed and scale—not resilience—in mind. And that’s the focus of our latest podcast. I sat down with musician, YouTuber and activist Benn Jordan as well as independent security researcher Jon Gaines (“Gainsec”) to talk about their deep‑dives into Flock Safety’s AI‑powered surveillance technology.

Benn and Jon’s research focused on second‑hand Flock hardware purchased online. What they found was unsettlingly familiar to anyone who has spent time auditing IoT systems. Jon uncovered dozens of flaws in the Flock software, including remote code execution (RCE) vulnerabilities, which he disclosed to the company. Among the issues were outdated, “end‑of‑life” versions of the Android OS running the devices, debugging features left enabled, and units exposing wireless access points protected by weak or shared credentials. From there it was possible to access administrative interfaces and, through a chain of misconfigurations, escalate privileges all the way to root on devices—potentially putting Flock cameras and the company’s larger network in the hands of malicious actors.

Physical Access? Done!

Flock argues that many of these attacks require physical access. When “physical access” means “standing in a data center,” that’s a valid counter‑argument. But as Jordan notes, that assumption collapses when you’re talking about cameras mounted in public: on roadside poles or at the entrances to apartment complexes, attached with basic hardware and powered by solar panels. Physical access is not hypothetical—it’s a design condition and super easy to obtain.

And possibly not even necessary. More concerning in Jon’s research is the possibility of wireless exposure. He describes scenarios in which a nearby attacker could interact with a camera’s management services over the air, potentially enabling remote access without ever touching the device. At that point, the threat model expands from vandalism to organized crime, stalking, or intelligence gathering.

Surveillance: Everywhere and Insecure

The broader issue is not just Flock, but the normalization of surveillance infrastructure that blends consumer‑grade hardware with law‑enforcement data flows. Android‑based platforms accelerate development and reduce cost, but they also import an enormous attack surface. When those platforms stop receiving security updates, vulnerabilities don’t disappear—they accumulate.

In our conversation, Benn draws a parallel to other technology sectors that raced ahead of governance and security. Once thousands of cameras are installed nationwide, fixing foundational flaws is no longer a software problem. It becomes a logistics problem, a capital problem, and ultimately a public‑safety problem.

For residents and the public, the concern here is how little visibility there is into how long data is retained, who can access it, or how well systems are protected against abuse. For municipalities and police departments, the assumption that “commercial” equals “secure” is proving dangerously optimistic. Our government should also worry. If a lone independent researcher like Jon can easily gain root access to Flock cameras, it’s safe to assume nation‑state actors can also—using Flock’s technology to identify and track individuals of interest.

Episode #263 is a reminder that surveillance tech doesn’t need to be hacked at scale to cause harm. The mere possibility of compromise—combined with opacity and ubiquity—should trigger far tougher scrutiny. As automated monitoring becomes civic infrastructure, security can’t remain an afterthought bolted to a hose‑clamped camera on a pole.

---

Transcript & Podcast Links

• Transcript (AI‑generated) – https://securityledger.com/wp-content/uploads/2025/12/Flock-Surveillance-Insecurity.txt

• MP3 download – https://media.blubrry.com/the_security_ledger_podcasts/content.blubrry.com/the_security_ledger_podcasts/Flock_Surveillance_Insecurity.mp3

• Episode 188: Flock Safety Flies in Surveillance Technology’s Gray Zone – https://securityledger.com/2020/08/episode-188-crowdsourcing-surveillance-with-flock-safety/

• Flock Safety – https://www.flocksafety.com/

• Deflock – https://deflock.me/blog/154

• Jon Gaines Flock Security Research – https://gainsec.com/2025/11/05/formalizing-my-flock-safety-security-research/

• ACLU Colorado: Community Organizations and City Leaders Call for Denver Mayor Mike Johnston to Immediately Turn off Flock Cameras – https://www.aclu-co.org/press-releases/community-organizations-and-city-leaders-call-for-denver-mayor-mike-johnston-to-immediately-turn-off-flock-cameras/

• CNN: The tech firm that helped police find the Brown shooting suspect has sparked privacy concerns. Its CEO responds – https://www.cnn.com/2025/12/19/tech/flock-safety-ai-cameras-brown-suspect-privacy

• 404 Media: A Texas Cop Searched License Plate Cameras Nationwide for a Woman Who Got an Abortion – https://www.404media.co/a-texas-cop-searched-license-plate-cameras-nationwide-for-a-woman-who-got-an-abortion/