Video from Benn Jordan about the ability to access admin interfaces for Flock Cameras, “This Flock Camera Leak is like Netflix For Stalkers”
Benn Jordan's new video on the security failures of Flock Safety
Flock Safety Hacking Video - heads up about potential misinformation causing concerns about ArcGIS security
Benn Jordan's flock camera jammer will send you to jail in Florida now - Louis Rossmann - YouTube
Videos
Came across this video on YouTube. Benn Jordan goes through access for flock which allows live stream and archive video viewing without any password protection. He’s also previously covered the many issues with exploits to access the physical cameras.
Relevance- these cameras are becoming more prevalent all over Columbus.
I am generally a fan of Benn Jordan's work, but when I saw his video about Flock Safety cameras a few days ago, some of what he said about GIS kind of stuck out to me.
The video is here: https://www.youtube.com/watch?v=uB0gr7Fh6lY
At around the 15 minute mark, he discusses how many law enforcement agencies use AVL to determine which officers are nearest calls, so they can respond more quickly, and that this data is often integrated with flock resources.
To quote the transcript from the video:
If you call 911 and the dispatcher deems it an emergency requiring police, most modern police cars have a GPS module installed that reports back to dispatch. That way they can efficiently contact the police nearest the event and expedite the response time. Flock Safety and many of its clients use third party services that makes sense of this constant stream of data and all of that data is handled with an API. Just a few weeks ago, two security researchers, Alexa Feminina and James Zang, wrote a report discovering that ArcGIS had been compromised by a Chinese state sponsored hacking group called Flex Typhoon. The report from Infocurity magazine states, "The hackers allegedly targeted a legitimate public facing ArcGIS application. This is software that allows organizations to manage spatial data for disaster recovery, emergency management, and other critical functions. This is just a very recent example of what could be compromised with sensitive API information for information for geospatial platforms.
Esri's response to this, from about a month ago, is here:
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/understanding-arcgis-server-soe-compromise
-
The operators of the environment had server manager exposed to the internet
-
MFA was not used, presumably the attackers got in via a valid username/password
-
The attackers deployed a malicious SOE
-
The ArcGIS Server's service account had root-level permissions which permitted the SOE to be used to deploy a VPN endpoint payload
The attack in question seems to have nothing to do with Flock Safety at all. My assumption is that Benn Jordan just threw it into his video to strengthen his argument that everything surrounding Flock Safety is suspect and not to be trusted - including the maps on which camera positions, etc., may be displayed.
Anyway, I just wanted to post this here for other enterprise GIS administrators and managers who may get asked about this. I've already had two individuals from my organization ask if this is something we should be worried about - we have neither Flock equipment nor public-facing server manager login pages nor do our service accounts have anything even remotely close to root level permissions.