Wirelessly Hacking Flock Safety LPR Cameras

Flock Safety has been causing a stir lately with privacy advocates about concerns over their public facing security cameras that are used by police and communities across the country.

I recently reported on how Flock's Condor cameras were exposed to the open internet, allowing anyone to connect to them and view live camera feeds as well as download camera footage. It turns out this isn't the first time Flock has had security issues with their cameras.

What is Flock and What Do They Do?

Flock Safety is a cloud based security camera manufacturer that sells a range of cameras marketed towards police agencies, communities, and businesses. Their primary customers being police agencies.

They provide cameras that are used for:

• License Plate Reader (LPR)
• People Tracking
• Mobile Security Camera Trailers

To really top off the big brother dystopian nightmare. They even have drones that can be deployed by police, fire, and search and rescue.

All of these products connect back to Flock's cloud platform and into various public safety systems such as 911 call centers. From there, officers can track, search, and even deploy a drone to an incident. Agencies can share and search each other's Flock databases for things such as a vehicle's license plate. They have the option to share their Flock systems to other government agencies in their state or even across the country.

Hacking Flock Falcon LPR Cameras

Researchers were able to acquire some of Flocks Falcon cameras off eBay for testing and research. What they discovered turned out to be quit concerning.

They tore down the camera and got to work dissecting how it works. What they discovered is that this particular Flock camera runs on Android OS using a Qualcomm Snapdragon platform.

They were able to determine that this camera uses Android OS 8.1.0 with custom Flock software. They were also able to determine that it is using YOLO and OpenCV for its onboard AI capabilities. YOLO (You Only Look Once) is able to perform real time object detection. These cameras were using yolo_pico3_float16 which is optimized for edge computing platforms like AI enabled security cameras. OpenCV is used as the underlying structure to prepare images for the YOLO model to work with.

The presence of these AI models indicates that the cameras can potentially do more than just read license plates. They could have the capability to track people as well.

They were also able to discover unlocked bootloaders, debug kernels, and an unsecured Wi-Fi in diagnostic mode.

The unlocked bootloader allows for flashing of custom firmware or even an entirely different operating system. The Android system logs also indicate the absence of package verification with an error messages stating, “There should probably be a verifier, but none were found.” This removes the checks needed for installing applications, allowing arbitrary code installation without system validation.

So far, hacking these devices took disassembling the camera to access the underlying hardware. Hacking one of these cameras that's deployed in a public space, likely up high out of reach, would be very difficult.

Luckily, there is an easier way.

Wireless RCE on Flock Falcon Camera

By pressing the button on the camera in a certain order, you can enable the built-in Wi-Fi hotspot on the camera. This allows you to connect to the camera and enable ADB (Android Debug Bridge) access without any authentication required. ADB allows you command line access to the device and gain access to the shell. By doing this, you gain full control over the camera's root system and can do anything you want with it.

Blue Mode Wi-Fi access enables a Wi-Fi hotspot on the camera to be turned on with a default password of “security”.

Blue Mode exposes multiple network services:

• DNS server on port 53
• Web server on port 1040
• MJPEG video stream on port 1234
• HTTP proxy on port 8080

According to wigle.net, you can see that there are over 900 hits, some from 2025, that are in the wild with their hotspot active. This means you could potentially gain access over the camera's build in Wi-Fi without even needing to press the button on the device.

Conclusion

I am at a loss for words on this issue. It's hard to believe that a tech company has been this reckless with their devices. To top it off, they are marketed to public safety agencies that use the product for sensitive data. The fact that Flock is still even in business after all of these security issues is mind-blowing. To me, this shows a lack of professionalism on Flocks part and a lack of awareness or care on the government agency's part. It appears that Flock is just in this for a quick buck, and the government is turning a blind eye in return for unrestricted access to our privacy.