alt Hacker NewsFlock Exposed Its AI-Powered Cameras to the Internet. We Tracked Ourselves
Archive Link: https://archive.ph/IWMKe
Also: https://www.youtube.com/watch?v=vU1-uiUlHTo – This Flock Camera Leak is like Netflix For Stalkers
Comments
Flock or their defenders will lock in on the excuse that “oh these are misconfigured” or “yeah hacking is illegal, only cops should have this data”. The issue is neither of the above. The issue is the collection and collation of this footage in the first place! I don’t want hackers watching me all the time, sure, but I DEFINITELY don’t trust the state or megacorps to watch me all the time. Hackers concern me less, actually. I’m glad that Benn Jordan and others are giving this the airtime it needs, but they’re focusing the messaging on security vulnerabilities and not state surveillance. Thus Flock can go “ok we will do better about security” and the bureaucrats, average suburbanites, and law enforcement agencies will go “ok good they fixed the vulnerabilities I’m happy now”
The CEO of Flock, Garrett Langley, called Deflock a terrorist group. It's unhinged. https://www.youtube.com/watch?v=l-kZGrDz7PU
The most terrifying part here is the synergy between the AI feature and the security hole. An open stream from a static camera is one thing, but it's entirely different when you have an open-access AI agent that autonomously finds "interesting" targets, zooms in on faces, and tracks people between cameras. This transforms a passive data leak into an active, real-time stalking tool
I wonder what our founders would think about tools like Flock.
From what I understand these systems are legal because there is no expectation of privacy in public. Therefore any time you go in public you cannot expect NOT to be tracked, photographed, and entered into a database (which may now outlive us).
I think the argument comes from the 1st amendment.
Weaponizing the Bill of Rights (BoR) for the government against the people does not seem to align with my understanding of why the Bill of Rights was cemented into our constitution in the first place.
I wonder what Adams or Madison would make of it. I wonder if Benjamin Franklin would be appalled.
I wonder if they'd consider every license plate reading a violation of the 4th amendment.
This was posted to HN a week ago but didn't get enough attention due to the weird title.
It's a map of all city council meetings in the US whose agenda mentions Flock
In Brazil there is a similar problem, but it's not as widely discussed. Here, police investigations revealed that a website sold access for less than $4 to the nation-wide surveillance system, which included live feed of public safety cameras and person search by tax identifier. It was also shown that criminal organizations used it to locate their targets. Access was through the open internet, with leaked credentials, the federal government's system requires no VPN for access.
Source (Portuguese): https://mpmt.mp.br/portalcao/news/1217/164630/pf-expoe-invas...
What I don’t understand is how you can work at a company like Flock and look yourself in the mirror. Seriously. You must be aware of the inherent evil, of the privacy invasive nature of your product, of how it’s being actively abused. How do you rationalize this for yourself?
For more context here Flock Safety is a YC-backed company [1][2]
Children could go missing thanks to Flock default settings. HN would tell me to never attribute to malice ... but there may be criminal negligence.
To cover their butts I strongly suggest Flock implement a default "grading system" that will show a city in a banner at the top of their management and monitoring system that based on their camera and network configuration they get an A+ to F-. If the grade is below a C then it must be impossible to get rid of the banner and it must be blinking red. The grading system must be both free, mandatory and a part of the core management code. This assumes Flock will have the willpower to say no when a city demands removal of the flashing red banner. Instead up-sell professional services to secure their mess. I would like to see the NCC Group review their security and future grading system.
Him reading the Flock statement on a Flock camera open on the internet was just so good. I love and support Benn Jordan.
Really valuable research. A benefit to public safety, and drawing attention to a sloppy vendor in the security space, claiming to secure the public, but instead putting the public at risk. However I'm deeply concerned for the researcher and all involved because this may be a criminal violation under the CFAA - accessing these systems without authorization, even if they don't have authentication.
I don't want these cameras to exist but, if they're going to, might we be better off if they are openly accessible? At the very least, that would make the power they grant more diffuse and people would be more cognizant of their existence and capabilities.
Yes. This looks bad for Flock security.
Good thing nobody tried to pop a shell on the camera OS and move laterally through the network. That would be bad.
I'm sure it's all very secure though.
I just watched the Benn Jordan's video on this. Even if this is just configuration error on some of their cameras this is terrifying and I think they should be held accountable for this and their previous myriad of CVEs.
If the cameras are recoding public areas, isn’t it better the recorded footage stays public
the main summary of 1984: "neighbors are encouraged, via telesecreens, to spy on one another to enforce conformity."
There thing to fear isn't some higher state; it's each other. We happily will surveil each other under the auspices of safety.
Hell, these days, our kids grow up with cameras pointing at them in their own rooms. What did we expect?
Until we are willing to accept more "risk" in exchange for more privacy, this will only get worse. (It's why I believe most tech/services that tout privacy are DoA, because nobody actually cares)
benn jordan has been on an absolute tear recently. one of my favorite people nowadays
I would love to watch a shorter version of this video that just discussed the deltas between the status quo and Flock, rather than breathlessly reporting the implications of cameras as if they were distinctive to Flock. He'll spend 30 seconds talking about how you can see every activity and every person on the camera --- yeah, that's how cameras work. There are thousands of public IP cameras on the Internet, aimed at intersections, public streets, houses, playgrounds, schools; most of them operated that way deliberately.
There are Flock-specific bad things happening here, but you have to dig through the video to get to them, and they're not intuitive. The new Flock "Condor" cameras are apparently auto-PTZ, meaning that when they detect motion, they zoom in on it. That's new! I want to hear more about that, and less about "I had tears in my eyes watching this camera footage of a children's playground", which is something you could have done last week or last year or last decade, or about a mental health police wellness detention somewhere where all the cops were already wearing FOIA-able body cams.
If open Flock cameras gave you the Flock search bar, that would be the end of the world. And the possibility that could happen is a good reason to push back on Flock. But that's not what happened here.
There's an interesting idea here that is tangentially related to "common carrier" regulations ...
Specifically:
If a flock (or similar) camera is deployed on public land/infra there should exist default permission for any alternate vendor to deploy a camera in the same location.
I wonder how that could be used and/or abused and, further, what the response from a company like flock would be ...
It's getting pretty crazy out there. What's your recourse for this? Avoid most populated areas?
It's 2025. The ISP gateway I got comes with more default security than these cameras. The barrier to entry on security is lower than it ever has been in history. Whoever let this past the QC phase is an idiot.
Yes, they should be secured so they can only be accessed by law enforcement.
But if your spouse/SO/sister/mother/girlfriend/whatever was assaulted while jogging in a park that had Flock cameras, and it allowed law enforcement to quickly identify, track, apprehend and charge the criminal, you'd absolutely be grateful for the technology. There's nothing worse than being told "we don't have any leads" when someone you care about has been attacked.
I'm not sure if it's better or worse to have it publicly accessible or only accessible to an elite group.
Really great investigation, what's the URL of the "vibe coded" site with the access links?
glock > flock
Is mass vandalism the final answer to this problem?
Flock cameras would be so easy to disable by motivated people. Dress in nondescript clothing, mask, sunglasses, and just spraypaint over the lenses. This is completely asymmetric warfare because it is trivial how long it would take for you to do this. You could hit dozens of cameras across an area overnight. Meanwhile, flock or the city, whoever maintains this stuff, needs to identify the vandalized cameras, flag them for repair, pay a technician to go out and presumably repair the unit outright. You pay cents and they are paying potentially thousands in labor and hardware costs.
And this would absolutely work at scale too. Streetlights are already being vandalized for their copper and most cities cannot afford to hire more technicians to even keep up with streetlight repair. I believe I’ve seen the backlog for streetlight repair in LA is over 10x what the current street services crew is capable of repairing in a year of constant work and growing by the day.
Municipalities and these technology companies cannot keep up against a motivated crew and can’t afford to scale either. Totally asymmetric.
At what point does the top brass at Flock get arrested?
i guess that while it is alarming that these feeds were "unsecured" I'm just as concerned that they exist at all. Folks worry about it getting into the "wrong hands" but from my POV it was put up by the wrong hands.
While both are a problem I am far more concerned about the power this gives our, increasingly authoritarian, government than about individual stalkers/creeps.
You could kinda already do this with all kinds of security cameras. There are only so many people who are computer proficient, and that number is lower than the number of camera installers.
There have been cases of people getting into baby monitors and yelling at the baby.
But as a tech company, this is extremely irresponsible
BTW, Benn Jordan is also known as The Flashbulb, an ambient legend
We really should be referring to them as “Flock (YC S17)”. Credit where credit is due.
flock is the most heinous reflection of the ills of our current socioeconomic structure. absolutely nobody should be okay with mass surveillance, much less mass surveillance enabled by a private company.
Flock is cooked. They didn’t even implement basic security features for an extremely sensitive database. More ammo for those of us trying to get our local authorities to cut ties with this disgusting excuse for a startup.
Interesting, but nothing new. Shodan users have known about clueless IP camera owners that leave their cameras on the public internet for years. This is a little more interesting because it's from a well-funded startup rather than independently owned Chinese IP cameras.
remember when people first started experiencing TSA and there were massive protests at how obscene and violating it all was, then uncovering how useless they were as fake security theater
and they were going to get it all shut down
TWENTY-FIVE YEARS NOW
so good luck getting rid of flock where people don't even know it's happening
Not sure if people realize that cellphone locations, several layers in the firmware and software, can be had without warrant by anyone YEARS LATER
Associated Benn Jordan video post: https://www.youtube.com/watch?v=vU1-uiUlHTo
Easy solution for Flock problem: get rid of visible license plates. Make them 2x1" of size and RFID-readable, give readers to police, problem solved.
Not-that-easy solution is legal ban for such surveillance.
None of these both will happen though.
You accepted TSA and PRISM, you will get used to Flock too.
Next is Flock but for people, with face recognition.
I’m baffled by the state of law enforcement. On one hand we are spending loads on surveillance, but on the other we refuse to enforce violent, property & drugs-abuse crimes. Gross violent offenders are being allowed to walk. So what is the point of all the CCTV ?
As major investors in Flock, being aware of the long term law enforcement strategy, I’m guessing ycombinator can comment on what all of this investment is for.
Related:
https://news.ycombinator.com/item?id=46356182 Benn Jordan – This Flock Camera Leak Is Like Netflix for Stalkers [video] (youtube.com)
[flagged]
Oh no. Someone can view cctv data and delete it. Always blown out of proportion. The likelihood of someone a) committing a crime or otherwise b) knowing there was this specific brand of camera software being run on a camera in that area c) knowing how to access these portals
Is basically zero.
People who complain about flock should have to list how many crimes are in their zip code to be taken serious.
Was fortunate to talk to a security lead who built the data-driven policing network for a major American city that was an early adopter. ALPR vendors like Flock either heavily augment and/or anchor the tech setups.
What was notable to me is the following, and it’s why I think a career spent on either security researching, or going to law school and suing, these vendors into the ground over 20 years would be the ultimate act of civil service:
1. It’s not just Flock cams. It’s the data eng into these networks - 18 wheeler feed cams, flock cams, retail user nest cams, traffic cams, ISP data sales
2. All in one hub, all searchable by your local PD and also the local PD across state lines who doesn’t like your abortion/marijuana/gun/whatever laws, and relying on:
3. The PD to setup and maintain proper RBAC in a nationwide surveillance network that is 100%, for sure, no doubt about it (wait how did that Texas cop track the abortion into Indiana/Illinois…?), configured for least privilege.
4. Or if the PD doesn’t want flock in town, they reinstall cameras against the ruling (Illinois iirc?) or just say “we have the feeds for the DoT cameras in/out of town and the truckers through town so might as well have control over it, PD!”
Layer the above with the current trend in the US, and 2025 model Nissan uploading stop-by-stop geolocation and telematics to cloud (then, sold into flock? Does even knowing for sure if it does or doesn’t even matter?)
Very bad line of companies. Again all is from primary sources who helped implement it over the years. If you spend enough time at cybersecurity conferences you’ll meet people with these jobs.