For an unknown period, at least 60 AI-powered surveillance cameras manufactured by Flock Safety were accessible to anyone on the internet. No password required. No login needed. Just a web browser and the camera’s IP address.
The exposed devices were Flock’s Condor PTZ cameras—sophisticated systems that can pan, tilt, zoom, and use artificial intelligence to track people and vehicles automatically. Researchers found they could watch live feeds, download 30 days of archived footage, access administrator panels, and change configuration settings.
This was not a theoretical vulnerability. Reporters verified the exposure by visiting camera locations in person, watching themselves on live streams that anyone in the world could access.
This article explains what happened, how it was discovered, and what it reveals about the risks of networked surveillance infrastructure.
What Flock Safety Does
Flock Safety sells AI-powered camera systems primarily to law enforcement agencies and businesses. The company operates in more than 5,000 communities across 49 US states and processes billions of vehicle scans monthly. Its automated licence plate recognition (ALPR) technology helps police track vehicles connected to crimes, missing persons cases, and other investigations.
The exposed cameras were Flock’s Condor line—advanced devices designed for active surveillance rather than passive recording. These cameras can autonomously follow moving objects, zoom in on details, and alert operators when something matches predefined criteria.
Flock recently partnered with Ring, Amazon’s doorbell camera company, expanding its reach into residential neighbourhoods. The company positions itself as a public safety solution, but critics have long raised concerns about the surveillance infrastructure it creates.
How the Exposure Was Discovered
The vulnerability was initially identified by Benn Jordan, a technologist and YouTuber who investigates privacy and security issues. Jordan and security researcher Jon “GainSec” Gaines located the exposed cameras using Shodan, a search engine that indexes internet-connected devices.
Shodan is commonly used by security researchers to find improperly secured systems. By searching for specific device signatures, researchers can identify everything from unsecured webcams to industrial control systems left open to the internet. The Flock cameras appeared in Shodan results because they were accessible without authentication.
Verification
Journalists from 404 Media verified the exposure by physically visiting one of the camera locations in Bakersfield, California. Standing in front of the camera, a reporter watched himself in real time on the exposed livestream while colleagues hundreds of miles away observed the same feed remotely.
The exposure was not limited to video. Researchers could access administrative interfaces that allowed downloading archived footage, deleting recordings, changing camera settings, and running diagnostic commands. In some cases, log files revealing operational details were also accessible.
What Was Exposed
The cameras were monitoring locations across the United States, including parking lots, public trails, bike paths, and residential areas. One exposed feed showed children playing on a playground—footage anyone could have watched or downloaded.
The implications vary by location. Footage from a parking lot might reveal who visits a particular business and when. Footage from residential areas could show daily routines, visitors, and vehicle movements. Over 30 days of archived video, patterns emerge that reveal significant personal information about the people captured.
Administrator Access
Beyond viewing footage, the exposed interfaces allowed configuration changes. Someone with malicious intent could have:
- Downloaded all archived footage for later analysis or sale
- Deleted recordings to cover up crimes
- Adjusted camera positioning to monitor different areas
- Disabled cameras entirely
Flock described the issue as “a limited misconfiguration on a very small number of devices” and said it has been fixed. However, the company did not specify how long the cameras were exposed or whether any unauthorised access occurred.
The Broader Security Problem
This incident highlights systemic issues with networked surveillance infrastructure. The same features that make these systems useful—remote access, cloud storage, AI analysis—create attack surfaces that can be exploited when security fails.
No Multi-Factor Authentication
Members of the US Congress, including Senator Ron Wyden and Representative Raja Krishnamoorthi, have called on the Federal Trade Commission to investigate Flock. Their letter cited concerns that Flock does not enforce multi-factor authentication (MFA) for access to its systems.
Without MFA, stolen or weak passwords provide full access to surveillance networks. Law enforcement agencies using Flock systems have been targeted by hackers seeking access to police surveillance capabilities. The lack of mandatory MFA makes these attacks easier to execute.
Misconfiguration at Scale
Flock operates thousands of camera installations. A configuration error affecting even a small percentage of devices can expose dozens or hundreds of cameras. The fact that 60+ cameras were found exposed suggests the problem was not an isolated incident but a systemic failure in deployment or update procedures.
The company’s description of the issue as “limited” may be accurate in percentage terms but understates the real-world impact. Each exposed camera represents a potential privacy violation for everyone who passed in front of it.
Why This Matters Beyond Flock
The Flock exposure is part of a broader pattern. Internet-connected surveillance systems are deployed faster than security practices can keep up. Police departments, businesses, and homeowners install networked cameras without fully understanding the risks. Vendors prioritise features and rapid deployment over security hardening.
The Expansion of Surveillance Infrastructure
Over the past decade, surveillance camera deployments have grown dramatically. Cities have installed networked cameras on streetlights. Businesses use AI-powered systems for loss prevention. Homeowners add doorbell cameras and security systems. Each device expands the attack surface.
When these systems are properly secured, the data they collect remains under the control of the operator. When security fails—through misconfiguration, weak passwords, software vulnerabilities, or insider threats—that data becomes accessible to anyone.
Centralisation Creates Concentrated Risk
Flock’s business model involves centralising surveillance from many locations into integrated platforms. This creates efficiency for law enforcement but also concentrates risk. A single security failure can expose data from cameras spread across multiple states.
The 2024 breach of Change Healthcare demonstrated similar risks in the healthcare sector—one company’s security failure affected millions of patients across hundreds of providers. Surveillance platforms present analogous risks, with the added concern that exposed footage can enable stalking, harassment, and physical harm.
What This Means for Affected Communities
Communities that have deployed Flock cameras now face questions about what was exposed and for how long. Individuals who were recorded by the exposed cameras have no way of knowing whether their footage was accessed by unauthorised parties.
The lack of transparency compounds the problem. Flock has not disclosed which specific cameras were affected, when the exposure began, or whether it detected any unauthorised access. Without this information, affected individuals cannot assess their own risk.
Conclusion
The Flock camera exposure is a case study in what happens when surveillance infrastructure outpaces security. Systems designed to track people and vehicles were left open to the internet, accessible to anyone who looked. The footage—including images of children on a playground—could be watched, downloaded, and potentially misused.
Flock says the issue is fixed. But the incident raises questions that extend beyond one company’s misconfiguration. As surveillance networks grow larger and more interconnected, the consequences of security failures grow with them. Each camera, each database, each AI-powered tracking system adds capability for those who control it—and risk for everyone it observes.
Sources
- 404 Media: Flock Exposed Its AI-Powered Cameras to the Internet. We Tracked Ourselves
- Bruce Schneier: Flock Exposes Its AI-Enabled Surveillance Cameras
- TechCrunch: Lawmakers say stolen police logins are exposing Flock surveillance cameras to hackers
- PetaPixel: Big Brother Left the Door Open: Flock’s AI Surveillance Cameras Exposed to the Internet
- 9News: Douglas County’s Flock camera compromised as company leaves it exposed on internet
