Major Security Flaws Found in Widely Deployed IoT Cameras
A researcher has revealed that over 80,000 Flock Safety automatic license plate recognition (ALPR) cameras have significant security vulnerabilities. The flaws include unencrypted on-device storage, weak Wi-Fi encryption, and exposed camera feeds discoverable on the internet. The report prompted some law enforcement agencies to terminate their contracts with the company.
- The vulnerabilities were discovered by cybersecurity researcher Jon Gaines, who purchased Flock cameras on eBay and found he could gain root access to a device's "compute box" in as little as 30 seconds with physical access. - Specific technical flaws included the cameras running on Android 8, an operating system that stopped receiving security updates in 2021, as well as exposed USB ports that could allow malicious scripts to be executed. - Researchers found that a specific, undocumented sequence of button presses on the camera's hardware could activate a Wi-Fi hotspot, allowing an attacker to connect directly to the device and gain deep system access. - In response, Flock Safety stated that exploiting these hardware flaws would require physical access and that its cloud platform has never been hacked or breached. The company also noted it had worked with the researcher to register the vulnerabilities with the National Vulnerability CVE database. - Beyond the hardware vulnerabilities, Flock has faced widespread criticism for its data-sharing practices, having previously engaged in pilot programs with U.S. Customs and Border Protection and Homeland Security Investigations. - The combination of security flaws and data privacy issues has led several municipalities, including Denver, CO, and Lynnwood, WA, to terminate or suspend their contracts with the company. Denver explicitly cited concerns over protecting immigrants and individuals seeking reproductive healthcare when it switched to a new vendor. - The police web interface for accessing camera data did not initially mandate multi-factor authentication (MFA), a decision one security researcher called "mind-boggling." Flock has since made MFA the default for new users, but some existing law enforcement customers have reportedly declined to enable it. - This incident is part of a broader pattern of security failures in the IoT camera industry, including the 2021 Verkada breach where hackers gained access to 150,000 cameras and the infamous 2016 Mirai botnet which used unsecured cameras to launch massive denial-of-service attacks.
