Vendor Flock Safety Affected Products Flock Safety's ArcGIS, FlockOS, Aerodome, Flock911 Vulnerability Type Hardcoded API Key Exposure (CWE-798) Exposure Count 53 separate instances across public-facing assets compromising 50 data layers Data at Risk ~5,000 police departments, ~6,000 community deployments, and ~1,000 private businesses Status Remediated following responsible disclosure
Executive Summary
I discovered a Default ArcGIS API key embedded in Flock Safety's public-facing JavaScript bundles. This single credential granted access to the company's ArcGIS mapping environment, and 50 private layers, the same infrastructure that consolidates license plate detections, patrol car locations, drone telemetry, body camera locations, 911 call data, and surveillance camera locations from approximately 12,000 law enforcement, community, and private sector deployments nationwide.
The key was not restricted by referrer, IP, or origin allowing it to be used by anyone, anywhere. It was exposed publicly across 53 separate Flock Safety front-end bundles and environments, each instance independently granting access to their ArcGIS mapping platform.
Background: What is Flock Safety?
Across the United States, license plate readers, drones, and audio sensors quietly record the movements of millions of people every day. Flock Safety operates one of the largest and most rapidly expanding of these networks, with hundreds of thousands of cameras generating over 30 billion vehicle detections each month, and an undisclosed amount of people detections.
At the center of this infrastructure is FlockOS, which Flock markets under the headline "One map. Smarter Response." According to their own documentation, the ArcGIS-powered interface "consolidates all data streams and the locations of each connected asset, enabling greater situational awareness and a common operating procedure." (Source: ClearGov Resource Document)
That "one map" is not a metaphor. It is the ArcGIS stack itself and the exposed API key unlocked it.
The Vulnerability
The exposed credential was an organization-wide ArcGIS API key tied directly to Flock Safety's ArcGIS mapping environment. It appeared in client-side JavaScript bundles served from development subdomains that were publicly accessible.
... continue reading