Flock Hardcoded the Password for America's Surveillance Infrastructure 53 Times

Summary

VendorFlock SafetyAffected ProductsFlock Safety's ArcGIS, FlockOS, Aerodome, Flock911Vulnerability TypeHardcoded API Key Exposure (CWE-798)Exposure Count53 separate instances across public-facing assets compromising 50 data layersData at Risk~5,000 police departments, ~6,000 community deployments, and ~1,000 private businessesStatusRemediated following responsible disclosureExecutive SummaryI discovered a Default ArcGIS API key embedded in Flock Safety's public-facing JavaScript bundles. This single credential granted access to the company's ArcGIS mapping environment, and 50 private layers, the same infrastructure that consolidates license plate detections, patrol car locations, drone telemetry, body camera locations, 911 call data, and surveillance camera locations from approximately 12,000 law enforcement, community, and private sector deployments nationwide.The key was not restricted by referrer, IP, or origin allowing it to be used by anyone, anywhere. It was exposed publicly across 53 separate Flock Safety front-end bundles and environments, each instance independently granting access to their ArcGIS mapping platform.Background: What is Flock Safety?Across the United States, license plate readers, drones, and audio sensors quietly record the movements of millions of people every day. Flock Safety operates one of the largest and most rapidly expanding of these networks, with hundreds of thousands of cameras generating over 30 billion vehicle detections each month, and an undisclosed amount of people detections.At the center of this infrastructure is FlockOS, which Flock markets under the headline "One map. Smarter Response." According to their own documentation, the ArcGIS-powered interface "consolidates all data streams and the locations of each connected asset, enabling greater situational awareness and a common operating procedure." (Source: ClearGov Resource Document)That "one map" is not a metaphor. It is the ArcGIS stack itself and the exposed API key unl...