Ben Jordan Exposes Severe Security Vulnerabilities in Flock Surveillance Cameras

YouTuber and musician Ben Jordan, in a 40 minute exposé of Flock Safety's flimsy security, showed just how easy it is for hackers to get the sensitive data stored inside one of their ubiquitous surveillance cameras.

The cameras (which apparently run Android) allow anyone with physical access to one of the cameras can simply press a button on the back in a specific, undisclosed sequence, a Wi-Fi access point is created. From here, you simply connect to it, enable adb, and you essentially have carte blanche access to the device. You can install your own malicious software or really anything you want, it's yours now.

"The longest part, actually, is waiting for the hotspot to turn on," said Jon Gaines, the original discoverer of the vulnerability, at one point in the video.

The device also has completely exposes USB ports which means you can simply plug in a malicious USB device like a rubber ducky that pretends to be a keyboard and executes scripts that way.

The interface that police use to access data from Flock cameras also doesn't require 2FA for police departments, a mind-boggling decision considering how sensitive the data is.

The cameras also have hard-coded Wi-Fi network names that they will happily connect to when an LTE signal isn't available, making it easy for an attacker to trick them into connecting to a malicious Wi-Fi access point. Some would even connect to the malicious Wi-Fi whether a SIM card was inserted or not. The cameras were sending cleartext credentials, allowing for an extremely easy man-in-the-middle attack.

An IMSI catcher, a device which mimics a cell tower to trick cellular devices into connecting to it, could also be used to MITM the devices.

The cameras would also store images unencrypted whether a license plate was detected or not. They also found images stored all the way from the devices were tested in the factory, suggesting that images aren't deleted.

The cameras were also found to be running Android 8, a version of Android that hasn't had security updates since 2021 and is missing all of the Android security features added since 2017.

The video is an absolute treat, you should go give it a watch, and check out Jon Gaines' site and write-up as well.