.png)
1 month ago
3
All research was performed against a unit I owned and I did not and do not have any intention of disrupting any existing infrastructure.
Yes, you’re reading that right, here’s a separate post that just covers the wireless RCE on Flock Safety’s License Plate Readers (LPRs) even when they’re in ‘operational’ mode!
I also included this breakdown and other info in this POST which is a continuation of the Bird Hunting Season research I’ve disclosed.
With that said, let’s keep this short and sweet.
- Set static IP on same CIDR that the devices are set to by default.
- Once the device is fully booted up, there is a button sequence that activates the hotspot.
- Like CVE-2025-47818 which is the result of Flock Safety’s gunshot detection systems having the same weak default hotspot password, their License Plate Readers (Sparrow/Falcon) as well as their Compute Box also have the default hotspot password of ‘security’ is across them.
- Connect to the License Plate Readers Hotspot; SSID will look like: Flock-XXXX
- Once connected, due to the fact that their ‘Collins’ Android application exposes an ‘adminstrative’ API on Port 8080 with no authentication, send a ‘PUT’ request to enable adb. (CVE-2025-59403)
- Now ADB over TCP is enabled, and yes it has authentication disabled, so just connect to the license plate reader (CVE # Pending).
- Now get a shell:
Command: adb shell
adb shellViola, RCE. (Screenshots of these process and other vulnerabilities disclosed in this round of disclosures: HERE)
Below is a video of the entire process, from booting up the device to getting a shell and showing that the unit I demonstrate this on is in ‘operational’ mode.
According to wigle.net you can see that there are over 900 hits some from 2025, that are in the wild with their hotspot active.
View all my write-ups in regards to my Flock Safety Security Research:
Part 1: Bird Hunting Season – Security Research on Flock Safety’s Anti-Crime Systems: HERE
Part 2: Plucked and Rooted – Device 1: Debug Shell on Flock Safety’s Raven Gunshot Detection System: HERE
Part 3: Grounded Flight – Device 2: Root Shell on Flock Safety’s Falcon/Sparrow Automated License Plate Reader: HERE
Part 4: Trap Shooter – Flock Safety Sniffer & Alarm: HERE
Part 5: Root from the Coop – Device 3: Root Shell on Flock Safety’s Bravo Compute Box: HERE
Part 6: Fly-By – Device 2: The Falcon/Sparrow – Gated Wireless RCE, Camera Feed, DoS, Information Disclosure and More: HERE
Part 7: Button Presses to Wireless RCE: Shell on Flock Safety’s License Plate Cameras Over Wi-Fi: HERE
END TRANSMISSION
Published September 27, 2025September 29, 2025
