Flock Safety's 100,000 Cameras: Security Flaws and Abuse

Flock Safety operates the most widespread network of AI-enabled automated license plate readers in the United States, with more than 100,000 cameras installed nationwide. As Engadget reports, these devices do considerably more than read plates: they run modified Android software, identify vehicles by characteristics like color, bumper stickers, and damage patterns, and feed searchable databases that law enforcement can query using natural language. Immigration and Customs Enforcement accesses that footage through data-sharing agreements with local departments.

The security posture is deeply concerning. Independent researcher Benn Jordan found that in December 2025, approximately 70 cameras were publicly accessible without passwords, streaming to the open internet. Earlier investigations also turned up exploitable USB ports and physical buttons that could enable root access, with the added risk of malware installation via standard Android tools. Flock's public response was to characterize the researchers involved as "activist groups who want to defund the police."

Misuse by law enforcement is documented, not theoretical. Multiple officers have been arrested or fired for using Flock to stalk ex-partners. Flock has acknowledged "15 incidents of abuse," though the reporting notes the actual scope likely exceeds documented cases. Separately, Flock employees reportedly accessed children's gymnastics footage for sales demonstrations.

The AI-based identification has also produced concrete harm to individuals. A Colorado financial advisor faced theft charges based on a faulty Flock identification and was exonerated using her vehicle's dashcam footage. OCR errors that confused zeros with the letter O led to additional unwarranted police stops for other drivers.

What the reporting does not fully address is how many cameras remain unpatched after the December 2025 disclosure, or the specific terms of the ICE data-sharing agreements. Cities that have tried to exit these contracts found the terms restrictive enough that Dayton and Evanston resorted to covering cameras with garbage bags rather than breach them. Whether the documented security and misuse findings give municipalities any legal leverage to renegotiate is the question the story leaves open.