All research was performed against a unit I owned and we did not and do not have any intention of disrupting any existing infrastructure. All disclosures are intended for research purposes only, on devices the researcher owns.
This is a introduction and overview post to give some background on the organization and their devices before jumping into the three devices I published about.
I would just like to start off by stating that Flock Safety responded to my inquiries in a timely manner. They were receptive to what I had to say and disclose. There was some confusion (or pressure) in regards to the timeline on disclosure but I was never threatened or attacked.
There were some rumblings of them posting a statement at the same time as I disclosed so there may be some communication from them in regards to my disclosures which I’ll add HERE if that does happen.
Consider this step 0 & 1 into the research that I plan to perform on these systems. What I’m disclosing is very surface level. Much more to come!
Here are the devices I covered:
The Raven – Gunshot Detection System – Write up HERE
The Falcon/Sparrow – Automated License Plate Reader – Write up #1 HERE – Write up #2 09/27/25
Bravo Compute Box – Edge computing – Write up HERE
At this point, I’d say it’s a ‘Flock Safety’ collection. Although, I only ended up purchasing the hardware… I swear.
If you haven’t heard of or don’t know what Flock Safety is I’ve kindly had ChatGPT prepare a nice PDF for your consumption. It also allows a overview that should be unbiased.
Timeline:
Initial Contact to Flock Safety: 02/08/25
First Response from Flock Safety: 02/10/25
Flock Safety Submitted Request for CVE Numbers for 10 of the vulnerabilities: 03/07/25
Flocks confirmation of submission and explanation on what they chose to submit to MITRE:
Flock PR Article about the vulnerabilities: 05/05/25 – Link
Disclosure: 06/19/25
First batch of CVE Published: 06/27/25
Further vulnerabilities disclosed to Flock: 06/19/25 & 06/27/25
I Followed up, provided disclosure deadline: 06/27/25
Flock Safety confirmed validation/triage in progress: 06/27/25
Flock Safety responded that existing CVEs 2025-47823 and 2025-47824 apply: 09/03/25
Final Communication – I replied clarifying CVEs do not apply to the Compute Box (Bravo) or the Android application vulnerabilities; notified Flock Safety of intent to submit directly to MITRE: 09/03/25
Disclosure Part 2 – Device 3 – Compute Box (and maybe some extras): Link – 09/19
Disclosure Part 3 Wireless RCE & More: Link 1 Link 2 – 09/27
Further Vulnerabilities disclosed to Vendor (Part 4) – 10/23/25
Formal white paper published (v1.0-PR) – 11/05/25
Flock Safety PR Statement regarding white paper – 11/06/25 – Link
Further Vulnerabilities disclosed to Vendor (Part 5) – 11/11/25
Full Disclosure Part 4 – 01/23/26
Full Disclosure Part 5 – 02/11/26
View all my informal full disclosure technical write-ups in regards to my Flock Safety Security Research:
Part 1: Bird Hunting Season – Security Research on Flock Safety’s Anti-Crime Systems: HERE
Part 2: Plucked and Rooted – Device 1: Debug Shell on Flock Safety’s Raven Gunshot Detection System: HERE
Part 3: Grounded Flight – Device 2: Root Shell on Flock Safety’s Falcon/Sparrow Automated License Plate Reader: HERE
Part 4: Trap Shooter – Flock Safety Sniffer & Alarm: HERE
Part 5: Root from the Coop – Device 3: Root Shell on Flock Safety’s Bravo Compute Box: HERE
Part 6: Fly-By – Device 2: The Falcon/Sparrow – Gated Wireless RCE, Camera Feed, DoS, Information Disclosure and More: HERE
Part 7: Button Presses to Wireless RCE: Shell on Flock Safety’s License Plate Cameras Over Wi-Fi: HERE
Part 8: Formalizing my Flock Safety Research: HERE
Part 9: BirdEye (Tool to Test Flock Safety’s ML Visual Recognition Models): HERE
END TRANSMISSION
Dope work.
Merci!