This article includes my own security engineering informed analysis / opinion.
Surveillance as a Service Part 2
Read Part 1 for background on Flock Safety
Flock Safety says Falcon cameras provide 24/7 day-or-night detection of license plates, vehicle model, color, even aftermarket parts and bumper stickers. Flock says still images plus “vehicle fingerprint” metadata, are processed locally, and sent back to Flock over a cellular connection. No need to stream bulky live video, which economizes on network infrastructure. A solar panel and batteries forego the need for hardwired power.
Given the nature of what these devices do, and the fact that they are designed to blend into the environment, it may be advantageous to make people aware of where they're located.
Falcon V2 cameras are composed of the following hardware, mentioned in a press release by Lantronix about their partnership with Flock Safety:
Lantronix Open-Q™ 624A System-On-Module (SOM)
Android™ 8.1 Oreo
Qualcomm® Snapdragon™ 624 processor
A Falcon camera label lists the following FCC registered components:
FCC ID N7NRC76B Sierra Wireless Inc. RC76B RC7611 IoT (LTE Cat-4)FCC ID WCBN3510A LiteOn 802.11 a/b/g/n/ac 2T2R+BT V4.2LE LTE
Each Flock device has a QR code sticker that encodes data about the devices. Here are some codes from Flock Safety devices available on Ebay, decoded below.
Raven {"pn":'703–00005',"imei":'864351059169203',"mac":'EC62606B024C',"sim":'89883070000030222390',"fsn":'23071370067'}
Falcon {'pn':'701–00161','imei':'014697000764750','mac':'744CA168DA63','sim':'89014103272872397886','fsn':'21062126FF3'}
Falcon {'pn':'701-00203','imei':'358026260461440','mac':'9C2F9D6F45A7','sim':'89148000008319644666','fsn':'221013201E0'}It’s interesting these cameras have Bluetooth and WiFi radios. WiFi does not appear to be used in the field for normal operations.
If you wanted to try to locate cameras with WiFi you might use a tool like WiGLE.net, which catalogs such access points using crowdsourced data. Because we know the devices use a fairly niche Lite-On chipset specific to IoT devices, it was easy to find that the cameras have an obvious common WiFi name scheme: Flock-[partial MAC address].
Let's manually confirm that these hits are real, installed Flock devices. Castle Rock, CO PD is one of the customers with a Transparency Page, and some of the cameras in that city are in the WiGLE.net WiFi data.
It appears that WiFi being enabled on a camera is an irregularity, since on-site investigations did not show WiFi available near some known Flock Safety devices. What seems to make sense is Wifi being enabled for the installation and initial setup, or field troubleshooting.
This mLive photo gallery includes a photo of a Flock Safety technician looking at a phone in close proximity to a camera, giving the impression he's using it to set up the camera. This WiFi function presents a webcam-like web interface which seems to help the installer put the camera in the optimal position.
Flock Safety likely has tens of thousands of devices in the field though. Can we do any better? We can with Bluetooth.
Every Flock device with an external battery uses Bluetooth to communicate health and safety data back to the camera. The Bluetooth radios use predictable naming schemes.
Penguin-NNNNNNNNNNN (N = decimal digit)
FS Ext BatteryUsing these patterns to search the WiGLE.Net data nets many more hits, 18,000+ in fact.
Some cameras have multiple external batteries. Some (very few) cameras are hardwired and have no external batteries. WiGLE.Net relies on citizen reported data, so not all cameras will be identified in this dataset.
Mapping this data shows us what is potentially the real extent of Flock device deployments across the country, that line up a lot better with we know about Flock customers from the Transparency Portals.
