Flock Hardcoded the Password for America's Surveillance Infrastructure 53 Times
4 months ago
- #Data Privacy
- #Surveillance
- #Cybersecurity
- Flock Safety exposed a hardcoded ArcGIS API key across 53 public-facing endpoints, compromising their surveillance infrastructure.
- The exposed key granted access to 50 private data layers, including license plate detections, patrol car locations, drone telemetry, and 911 call data.
- Approximately 12,000 law enforcement, community, and private sector deployments were affected, with no IP or referrer restrictions on the key.
- Flock Safety's centralized 'one map' architecture meant the key could access aggregated data from thousands of agencies.
- The vulnerability was discovered and responsibly disclosed, but Flock Safety took 55+ days to remediate it.
- Historical cases show misuse of Flock's surveillance tools by law enforcement for personal stalking and harassment.
- The exposure poses national security risks, as foreign adversaries could exploit movement data for intelligence.
- Flock Safety claims compliance with security standards, but the exposure suggests gaps in their security architecture.
- Recommendations include public records requests, vendor scrutiny, and policy changes to mandate independent audits.