** Super disappointed as well that I ended up messing up capturing artifacts so there’s many stills/some other things I would’ve loved to cover. If I end up finding another image or something I will add it. Also expect some formatting and general polishing of this post in the near future.**
With the rollercoaster I’ve experienced in the past months, the last thing I had on my mind was furthering the security research into Flock Safety devices. One of the last things I did was report a few issues directly to CERT as they previously opened a line of communication with me. I’m going to quickly cover those as they’re related to the exposed feeds. To start with, it’s important to note that from what I can tell, Collins (an application for spinning up the devices video feed) is an older use case, although it is very likely still be used in the wild depending on the devices. This write-up covers what is the more recent deployments of spinning up the device’s video feed. I’ll provide an overview of each piece of the stack but for now just note that ‘video feed stack’ is not related to Collins.
These findings are:
- Picard (Bravo) Compute Boxes and Falcon/Sparrow/Flex LPRs (Confident but not 100%) enable use of cleartext traffic globally even when the Fast Reverse Proxy (FRP) tunnel drops (I’ll go over FRP later in this article), allowing control commands (CSRF deletion of footage anyone?!) and sensitive footage disclosure/interception/manipulation.
Relevant Output:
flock-video-recording.apk line 70:
`android:usesCleartextTraffic(0x010104ec)=(type 0x12)0xffffffff`
Relevant Output:
flock-speed-pourer.apk:assets/ipconfig.txt
00000000: 0000 0003 000c 6970 4173 7369 676e 6d65 ……ipAssignme 00000010: 6e74 0006 5354 4154 4943 000b 6c69 6e6b nt..STATIC..link 00000020: 4164 6472 6573 7300 0d31 3932 2e31 362e Address..192.16 00000030: 302e 3235 34
3. The ‘SpeedPourer’ FRP config can be modified/accessed by system (trivially achived since the Flock apps are shipped with ‘debuggable’ enabled).
2. Picard (Bravo) Compute Boxes and Falcon/Sparrow/Flex LPRs (Confident but not 100%) are shipped with the ‘SpeedPourer’ application which is a fully featured FTP client that loads unsigned (and insecure if desired) configs.
4. One relating to ‘Ciroc’ which I’m not going to cover in this article.
The impacts of these issues are obviously severe. An attacker can leverage the attack chains I previously disclosed and covered in my white paper [4] to expose all services directly to the internet of which the services do not support any kind of authentication or authorization (seems like it may be a theme). Additionally, one of the default services, I’ll go over the camera feed stack later in this write-up, runs an Open Network Video Interface Forum (ONVIF) service which has some interesting information disclosures and capabilities enabled/supported by default in this case. Use of ‘SpeedPourer’ also bypasses every on-device control (such what seems to be a password requirement when accessing certain camera feed services on the W/LAN).
Of course, I confirmed these by using one of my Picard compute boxes and SpeedPourer (and its FRP client) to connect and expose a web service it was running to the internet.
Now there’s more to note that I have not submitted to CERT, such as the fact that SpeedPourer stores (or at least supports) storing the passwords in cleartext. That the admin web service that’s exposed supports deleting footage via a GET request that has no CSRF protections (or authentication for that matter) among many other actions. There’s also more to poke at as it uses Mustache Templating. That’s just the tip of the iceberg…
Relevant Output:
From admin_page_template.html (lines 63-66) – Delete form uses GET:
<form method=”get” action=”/{{cameraId}}/deleteVideo”>
<input type=”hidden” name=”name” value=”{{filename}}” />
<button type=”submit”>Delete</button>
</form>
Relevant Output:
From admin_page_template.html (lines 103-110) – Bulk delete via GET fetch:
async function bulkDelete() {
const selectedFiles = document.querySelectorAll(‘input[name=”file”]:checked’);
for (const checkbox of selectedFiles) {
await fetch(`/{{cameraId}}/deleteVideo?name=${checkbox.value}`, { method: ‘GET’ });
}
alert(‘Selected files have been deleted.’);
location.reload();
}
Full list of endpoints of the admin portal template on lab Compute unit:
| Endpoint | Method | Handler | Description | Endpoint |
| /{cameraId}/videoAdmin | GET | dumpFiles() | Video file listing dashboard | /{cameraId}/videoAdmin |
| /{cameraId}/videoAdmin?day=YYYY-MM-DD | GET | dumpFiles() | Filter videos by date | /{cameraId}/videoAdmin?day=YYYY-MM-DD |
| /{cameraId}/getVideo?name=<filename> | GET | getVideoFile() | Stream/download video file | /{cameraId}/getVideo?name=<filename> |
| /{cameraId}/deleteVideo?name=<filename> | GET | deleteVideoFile() | Delete single video file | /{cameraId}/deleteVideo?name=<filename> |
| /{cameraId}/deleteAll | GET | deleteAllVideoFiles() | Delete ALL video files | /{cameraId}/deleteAll |
| /{cameraId}/archiveVideo?name=<filename> | GET | archiveVideoFile() | Move video to archive | /{cameraId}/archiveVideo?name=<filename> |
| /reboot | GET | reboot() | Reboot device | /reboot |
| /speedTest | GET | speedTest() | Run bandwidth test | /speedTest |
| /metadata | GET | publishMetaData() | Get device metadata | /metadata |
Full list of ONVIF Endpoints on lab Compute unit:
| Endpoint | Protocol | Description |
| /onvif/device_service | SOAP/XML | Device capabilities, info |
| /onvif/device_service?wsdl | HTTP | WSDL definition |
| /onvif/media_service | SOAP/XML | Media profiles, streams |
| /onvif/ptz_service | SOAP/XML | Pan-tilt-zoom control |
| /onvif/analytics_service | SOAP/XML | Video analytics |
| /onvif/events_service | SOAP/XML | Event subscription |
Default Fast Reverse Proxy (FRP) Tunnel Service on lab Compute unit:
| Function | Description |
| TCP tunnel | Forward local ports to remote FRP server |
| OIDC auth | https://REDACTED.us.auth0.com/oauth/token |
| Audience | com.flocksafety.frp-server |
It’s clear that this admin portal including in the stack was designed with the assumption that network isolation is sufficiently hardening.
With that covered, the last thing I did was set up the wiring to add a Standard Range/Long Range camera to the camera feeds configuration so that the camera feed services would run because I don’t have a Standard Range/Long Range camera nor the camera to get it connected to the Picard Compute Box. I did however note the ports, any unique identifiers (like within the default HTML page it returns ‘admin_page_template.html’. Prior to that I did spend an hour or two doing light passive recon to see if I could find any instances of this camera feed admin page exposed to the internet. I ended up not finding anything. So, at that point, I created the wiring to add a fake camera to the camera feed stack so that the stack would fully spin up. However, with getting that wiring hopefully working at the crack of dawn, I ended up not fully confirming it, not having the time to try it out completely and then traveling for a bit.
Never did I expect the text I’d receive a few weeks later…
Introduction
It was a text from Benn Jordan. He’s a musician, Youtuber, inventor, entrepreneur, security researcher, and I hope he’ll be ok with me saying, a friend. Previously, he had reached out to me and brought me to him to assist in his video coverage of my Bird Hunting Season research, his independent Flock Safety research and Josh Michael’s [Founder of Nexanet AI] (and another friend) independent Flock Safety research.
The text was brief and odd. A cleartext HTTP URL with of just an IP on an uncommon port (8900). I navigated to it and couldn’t believe it… An unauthenticated camera feed.
He then added me to a group with 404 Media’s Jason Koebler, someone whose voice I recognize from his host/guest credits on CYBER and from his work as a journalist. I would come to find out that they were both working on pieces related to the few exposed feeds that Benn discovered and Benn was interested if I had any ideas for determining if there were more feeds exposed. Keep in mind, the web service had no with authorization banner, no authentication, no warning and was exposed to the internet. Especially because Benn ended up finding the three (3-4) live instances by searching “Flock Admin” on Shodan…
As a side note, I love Shodan (yes I know I love a lot of things relating to offensive security) and those types of search engines. I’ve had a dream to build my own system to continuously port scan the internet for a long time, maybe one day…
I have extensive experience with Shodan and have found my fair share of wild stuff, although nothing that compares to what Viss has found. I highly recommend the amusement you’ll get from watching one of his lectures. [5]
As I mentioned, the passive reconnaissance and OSINT I did previously include Shodan. Point 1 to note, it turns out that the admin template on my units were different than the ones Benn discovered. So, I most definitely was envious of his discovery momentarily, which was then instantly washed away by the stroke I felt for him. Because of what he found and that he was the one who found it.
If my experience doing a breadth of offensive security engagements for over a decade has taught me anything, it is that I knew instantly there were more instances of what Benn found out there. In fact, if you go into Shodan today, you can see entries that are quite old, some first seen in 2023 I believe even, but ultimately Shodan had about 11 listing with 3 or so being live still.
After some discussion and banter with both Benn and Jason, as well as mulling over if I could bring myself to do some research of my own. I decided to show Benn he told the right guy (subtle I know). External penetration tests are one of my favorite types of engagements (real ones not port scans + vulnerability scans) and the passive/semi-passive recon phase is often neglected.
It was at this point that I told Benn and Jason why (most likely) the camera feeds were exposed and what type of devices they were. I’d later come to learn that both theories I disclosed were half right, something I found quite embarrassing and will haunt me occasionally when I try to sleep for the foreseeable future. Given if you put yourself in my shoes, the last thing I did was discover the vulnerabilities I covered in the first section of this paper which most definitely could explain how these feeds ended up exposed to the internet…
However, I ran into important point 2 & point 3 at this time, when viewing the `logcat` output of the instances Benn found (yes you can do that, find out further in this paper) there were references to Flock applications running on the units I never saw before. There was also some configuration information on those did not mention Falcon, Flex, Sparrow, Range, Picard, or any of the model/internal names of the units I have in my lab.
Before I step through the process I took to turn his 3 or 4 instances of camera feeds into 67, let’s go over the video feed stack. From what I saw, the primary stack is the same, it’s just optional pieces (SPOILER ALERT), like ‘SpeedPourer’ were not running on most of the instances.
Feed Stack & Other Affected Services
Since most of the feeds were Pan Tilt Zoom (PTZ) it makes sense as to why I saw some new applications in the logs (I don’t have a Flock PTZ Camera in my lab).
So, I’ve broken down from what I’ve understood the stack looks like.
Port Summary:
| Port | Service | Protocol | Auth |
| 8900 | Admin Portal | HTTP | None |
| 8554 | RTSP Live | RTSP/RTP | None |
| 8000 | ONVIF | SOAP/XML | None |
| 9554 | RTSP Live? | RTSP/RTP? | None |
| 554 | RTSP Live | RTSP/RTP | None |
Most importantly point 5, these services bind to * aka 0.0.0.0 by default. Which is a concern. As well as a hint as to how this exposure occurred.
Feed Stack & Other Affected Services
My general approach was to determine as many unique fingerprints as possible to make OSINT similar. Which leads me to point 6, all 67 live camera feeds I found were shown to be on a Verizon ASN.
So doing a search query on Shodan & ZoomEye searching that ASN, with Port 8900 and in the US is how I found 15 or so more live instances.
Example Shodan Query:
country:”US” port:”8900” asn:”AS12738”
Example ZoomEye Query:
country=”US” && port=”8900” && asn=”AS12738”
I also did some queries with the default DNS names assigned by Verizon. Then I did a port scan for port 8900 first for only the last octet (/24) and then for the two last octets (/16). Additionally, I ran httpx on port 8900 against the same octets, although eventually I stopped it before it finished. That’s how the found instances grew to 67.
Then once I had the list, I use a script to hit the IPInfo API to get the geolocation data. Which if you know you know, wasn’t completely accurate but was surprisingly closer to the actual location of the cameras then you’d think. However, as I’m not good at geo guessing someone else figured out precisely where all the cameras were physically located.
So, here’s a high-level overview of the tooling I used, note that I did try regular search engine dorking and some other OSINT techniques like searching by source code, etc., but as expected, there were no results.
| Tool | Purpose |
| Shodan | Internet-wide device search |
| ZoomEye | Internet-wide device search |
| Masscan | Highspeed port scanner |
| httpx | HTTP probing/fingerprinting |
| IPInfo | IP geolocation API |
Let me be clear, this is obviously not the route or process I’d take during an actual engagement, but I was prioritizing keeping things light and quick as well as not trying to put the same amount of effort I would if this was a real engagement. Among many other things.
Below is the list of the 67 instances I found. I’ll include them again along with the output from IPInfo in the following section.
| 75.194.128.141 | 75.198.223.6 | 75.205.159.66 | 75.205.211.41 | 75.226.76.151 | 97.147.0.53 |
| 75.194.146.163 | 75.198.45.55 | 75.205.165.236 | 75.205.212.141 | 75.226.76.25 | 97.147.101.112 |
| 75.194.148.200 | 75.198.58.132 | 75.205.177.245 | 75.226.140.34 | 75.226.83.131 | 97.147.117.40 |
| 75.194.162.193 | 75.203.180.171 | 75.205.180.222 | 75.226.153.152 | 75.226.85.82 | 97.147.45.77 |
| 75.194.172.248 | 75.205.138.140 | 75.205.182.48 | 75.226.198.44 | 75.226.94.3 | 97.147.57.180 |
| 75.194.183.105 | 75.205.140.45 | 75.205.183.143 | 75.226.202.172 | 75.232.66.97 | 97.147.75.156 |
| 75.198.133.156 | 75.205.146.117 | 75.205.184.237 | 75.226.232.163 | 75.236.195.86 | 97.147.91.61 |
| 75.198.149.105 | 75.205.147.124 | 75.205.185.12 | 75.226.247.67 | 75.236.210.149 | |
| 75.198.167.110 | 75.205.148.141 | 75.205.185.120 | 75.226.65.178 | 75.236.224.7 | |
| 75.198.205.24 | 75.205.153.217 | 75.205.186.70 | 75.226.69.137 | 75.236.229.174 | |
| 75.198.208.154 | 75.205.156.24 | 75.205.187.249 | 75.226.70.173 | 75.236.244.20 | |
| 75.198.209.29 | 75.205.159.137 | 75.205.188.83 | 75.226.75.123 | 75.239.144.182 |
How & Why The Camera feeds Ended up Exposed on the internet
My original theory that I voiced to Jason and Benn was:
1. These are likely all Picard (Bravo) Compute Boxes
2. They are exposed because Flock spun up ‘SpeedPourer’ FRP and forgot to shut it down.
It’s frustrating to have to keep saying “I think,” and I apologize for that. I have misplaced some of my notes or more likely, I didn’t take enough.
Turns out that I was right and I was wrong. There were some LPRs/ Picard (Bravo) Compute Boxes that were using SpeedPourer FRP…BUT they were properly connected to a Flock proxy server so ultimately the camera feed was exposed for the same reason as the other devices.
So, what happened you ask?!
Well, it turns out that 4G/LTE/5G is not guaranteed to be Carrier-Grade Network Address Translation (CGNAT) nor to even be behind a firewall. Which was news to me. It turns out that it is uncommon but not unheard of that 4G/LTE/5G to not have these basic protections. The good news is, it seems that I learned this at the same time Flock did which is also bad news. I’m not 100% on this, but from what I understand, when SIM/eSIMs are purchased from the business side of an ISP and/or when it’s a data only SIM there’s a higher likelihood of this occurring. But don’t quote me on that.
So, the lack of CGNAT + Firewall at the ISP level means that those services bound to all network interfaces will happily respond on the external IP address.
Voila.
It also lead to some funny cases like the fact that the LAN RTSP feed on one of the ports had authentication (although in the next section I’ll cover a bunch of security issues with Flock’s implementation) but since you weren’t hitting the device over its W/LAN IP, no big. Although it was possible to change the RTSP password anyway or remove it entirely.
Another interesting case was only a few of the instances had a “Commands” Section on one page of the admin/debug portal. But it the JavaScript (JS) or whatever needed to utilize was missing from the instance. Not that I would’ve tried that anyway. I also considered just adding the JS myself based off the functionality in the admin template portal I have on my unit but as this is security research I of course did not attempt to do that.
Other Security issues
Example of one of the PTZ (Condor) Exposed Cameras.
Example of one of the Falcon/Sparrow/Flex LPR’s Exposed Cameras.
Another example of one of the Falcon/Sparrow/Flex LPR’s Exposed Cameras.
Some had multiple units connected to them.
There were even either long range Falcon or Standard/Long Range Cameras that are connected to the Picard (Bravo) Compute box as well.
Note that there’s no password to access the feed set for the LPRs.
Additionally, it seemed that the units that did have passwords set to view the RTSP feeds locally or via the FRP they had setup likely, the passwords *seemed* modifiable (I didn’t check) and when they were set, they were unique but disclosed in cleartext.
Condors had encrypted passwords and some were in cleartext.
In terms of security issues, there’s quite a few, so I’ll list them below:
Log Disclosure Security Issues:
- RTSP Digest Authentication Credentials Exposed
Authorization: Digest username=”admin”, realm=”e4f14c8af4f6″,
nonce=”e9349247cd7ec8a04d51438ed1bc3e0a”,
uri=”rtsp://192.168.0.100:554/”,
response=”1d08fa25b19674601d7983bd8cf96e91″
- RTSP Session IDs Exposed
Session: a15cad996e4cad996a4cad99064cad9
Session: 227d238ced6d238ce96d238c856d238
- Auth0 Token Usage Logged
Auth0ServiceController: service: com.flocksafety.android.sambuca.lib.IAuth0KeyServiceInterface$Stub$Proxy@8eccfce
HpnotiqService: HpnotiqService using Auth0 token
- Device Serial Numbers Disclosed
HpnotiqService: sendValidationTestResults() serial=250403P021004BR
- Camera IDs & File Paths Exposed
Camera ID: 250626900E5, Format: H265, Average FPS: 19.9
/media/ufs/media/pipeline/250626900E5/2025-12-11/18/discard_2025-12-11-18-52-37-660_1.mp4
/media/ramdisk/250626900E5/hls/1920×1080/H265/2025-12-11/segment_1765479157755.ts.tmp
- FRP Tunnel Session IDs
FrpTunnel: frp log: [bd148b4ad64738ab] send heartbeat to server
FrpTunnel: frp log: [bcc8e160571e8832] receive heartbeat from server
FrpTunnel: frp log: [4eeb894e4e9094fb] send heartbeat to server
- Internal RTSP Client User-Agent
User-Agent: happytimesoft rtsp client
Confirms use of HappyTime RTSP library.
- Full Java Stack Traces
Logs contain complete stack traces revealing:
– Internal class names (com.flocksafety.android.peripheral.impl.PowerModuleDevice)
– Method names and line numbers
– File paths (PeripheralControllerPicard.kt:475)
- Video Encoding Parameters
bitrate = 15750000
width = 1920, height = 1080
frame-rate = 30
mime = “video/hevc”
10. System Build Info
TKQ1.250502.001 (Android build version)
Qualcomm QC2 media codecs
Impact
Based off the reversing and analysis I performed from the versions of the applications on the units in my lab, things like video modification, deletion, denial of service, etc. were all possible while these feeds were exposed. Beyond just the fact that the feeds were exposed!
Additionally, the exposed device identifiers, cellular network information, and tunnel configurations provide sufficient data for an attacker to fingerprint, geolocate, and potentially target specific Flock Safety camera units. Leaked FRP tunnel session IDs and server addresses reveal the exact attack surface for accessing internal device services including RTSP video streams and HTTP management interfaces. The combination of missing ADB key initialization, SELinux policy failures, and verbose authentication logging creates multiple vectors for unauthorized access and privilege escalation. If exploited, an attacker could intercept video feeds, manipulate device configurations, or use compromised units as pivot points into Flock Safety’s infrastructure. These findings represent systemic logging hygiene issues that expose sensitive operational and personal identifiable information across the entire device fleet.
Recommendations
| # | Category | Recommendation |
|---|---|---|
| 1 | Device Identifiers | Hash or tokenize all hardware identifiers before logging (camera IDs, child serials, battery serials, external battery JSON fingerprints) |
| 2 | Cellular PII | Strip MCC/MNC, Cell ID, and TAC from StatusTask logs |
| 3 | FRP Tunnel Sessions | Encrypt or mask tunnel session IDs in logs |
| 4 | Tunnel Config | Do not log server addresses, ports, or device external IDs |
| 5 | Auth0 Service | Remove service proxy addresses from verbose logging |
| 6 | ADB Configuration | Properly initialize ADB keys or disable ADB entirely in production |
| 7 | SELinux Hardening | Review and fix policy denials (cache_file, vendor_qmcs_file, firmware_file) |
| 8 | Diag Subsystem | Fix Diag_LSM_Init failures – diagnostic subsystem not functioning |
| 9 | Network Binding | Only have services listen on required interfaces; avoid binding to 0.0.0.0 when localhost suffices |
| 10 | Credential Storage | Do not store passwords or secrets in cleartext; use secure credential storage |
| 11 | Defense in Depth | Do not rely on security through obscurity; implement proper authentication and authorization |
| 12 | Access Monitoring | Log and monitor access to sensitive services and endpoints |
Conclusion
This took way too long to write up, and I dropped the ball in terms of notes, stills and artifacts. There is a ton of meat left on the bone in terms of other security analysis (or even tests if one were to be authorized). Even further examination of the logs may reveal more information. That said, it clearly indicates that the previous issues I’ve disclosed and covered in my white paper are the tip of the iceberg and Flock Safety (as well as any vendor in similar industries) can really benefit from getting their infrastructure, devices, and applications tested thoroughly and continuously. Seeing that they’ve recently opened a position for Director of OffSec is a great sign imo. This is also the first and likely only time I will have had any type of insight into how these LPRs, Compute Boxes and PTZs that record me every time I leave my street (like they do that) run in the wild.
P.S. – I did provide CERT with info relating to the exposed camera feeds prior to Benn’s video being released. However, I never heard back so I have no idea if they did anything with it. That said, last time I ran a quick check, all 67 instances are no longer exposed unauthenticated to the entire internet. It is also unclear how long they ended up being exposed.
Just a final reminder, that IP address to Coordinate lookup are rarely correct and I know for a fact that the Coordinates I provide below aren’t exact. Enjoy.
| # | IP Address | City | State | Coordinates | Postal |
|---|---|---|---|---|---|
| 1 | 75.194.128.141 | Rocklin | California | 38.7907,-121.2358 | 95677 |
| 2 | 75.194.146.163 | Sunnyvale | California | 37.3688,-122.0363 | 94088 |
| 3 | 75.194.148.200 | Rocklin | California | 38.7907,-121.2358 | 95677 |
| 4 | 75.194.162.193 | Sunnyvale | California | 37.3688,-122.0363 | 94088 |
| 5 | 75.194.172.248 | Sunnyvale | California | 37.3688,-122.0363 | 94088 |
| 6 | 75.194.183.105 | Sunnyvale | California | 37.3688,-122.0363 | 94088 |
| 7 | 75.198.133.156 | Rocklin | California | 38.7907,-121.2358 | 95677 |
| 8 | 75.198.149.105 | Rocklin | California | 38.7907,-121.2358 | 95677 |
| 9 | 75.198.167.110 | Rocklin | California | 38.7907,-121.2358 | 95677 |
| 10 | 75.198.205.24 | Rocklin | California | 38.7907,-121.2358 | 95677 |
| 11 | 75.198.208.154 | Rocklin | California | 38.7907,-121.2358 | 95677 |
| 12 | 75.198.209.29 | Rocklin | California | 38.7907,-121.2358 | 95677 |
| 13 | 75.198.223.6 | Rocklin | California | 38.7907,-121.2358 | 95677 |
| 14 | 75.198.45.55 | Indianapolis | Indiana | 39.7684,-86.1580 | 46204 |
| 15 | 75.198.58.132 | Indianapolis | Indiana | 39.7684,-86.1580 | 46204 |
| 16 | 75.203.180.171 | Aurora | Colorado | 39.7294,-104.8319 | 80040 |
| 17 | 75.205.138.140 | Charlotte | North Carolina | 35.2271,-80.8431 | 28202 |
| 18 | 75.205.140.45 | Charlotte | North Carolina | 35.2271,-80.8431 | 28202 |
| 19 | 75.205.146.117 | Charlotte | North Carolina | 35.2271,-80.8431 | 28202 |
| 20 | 75.205.147.124 | Charlotte | North Carolina | 35.2271,-80.8431 | 28202 |
| 21 | 75.205.148.141 | Charlotte | North Carolina | 35.2271,-80.8431 | 28202 |
| 22 | 75.205.153.217 | Charlotte | North Carolina | 35.2271,-80.8431 | 28202 |
| 23 | 75.205.156.24 | Charlotte | North Carolina | 35.2271,-80.8431 | 28202 |
| 24 | 75.205.159.137 | Charlotte | North Carolina | 35.2271,-80.8431 | 28202 |
| 25 | 75.205.159.66 | Charlotte | North Carolina | 35.2271,-80.8431 | 28202 |
| 26 | 75.205.165.236 | Richmond | Virginia | 37.5538,-77.4603 | 23173 |
| 27 | 75.205.177.245 | Alpharetta | Georgia | 34.0754,-84.2941 | 30009 |
| 28 | 75.205.180.222 | Alpharetta | Georgia | 34.0754,-84.2941 | 30009 |
| 29 | 75.205.182.48 | Alpharetta | Georgia | 34.0754,-84.2941 | 30009 |
| 30 | 75.205.183.143 | Alpharetta | Georgia | 34.0754,-84.2941 | 30009 |
| 31 | 75.205.184.237 | Alpharetta | Georgia | 34.0754,-84.2941 | 30009 |
| 32 | 75.205.185.12 | Alpharetta | Georgia | 34.0754,-84.2941 | 30009 |
| 33 | 75.205.185.120 | Alpharetta | Georgia | 34.0754,-84.2941 | 30009 |
| 34 | 75.205.186.70 | Alpharetta | Georgia | 34.0754,-84.2941 | 30009 |
| 35 | 75.205.187.249 | Alpharetta | Georgia | 34.0754,-84.2941 | 30009 |
| 36 | 75.205.188.83 | Alpharetta | Georgia | 34.0754,-84.2941 | 30009 |
| 37 | 75.205.211.41 | Vista | California | 33.2000,-117.2425 | 92083 |
| 38 | 75.205.212.141 | Vista | California | 33.2000,-117.2425 | 92083 |
| 39 | 75.226.140.34 | North Las Vegas | Nevada | 36.1989,-115.1175 | 89036 |
| 40 | 75.226.153.152 | North Las Vegas | Nevada | 36.1989,-115.1175 | 89036 |
| 41 | 75.226.198.44 | Schertz | Texas | 29.5522,-98.2697 | 78154 |
| 42 | 75.226.202.172 | Schertz | Texas | 29.5522,-98.2697 | 78154 |
| 43 | 75.226.232.163 | Tulsa | Oklahoma | 36.1540,-95.9928 | 74102 |
| 44 | 75.226.247.67 | Tulsa | Oklahoma | 36.1540,-95.9928 | 74102 |
| 45 | 75.226.65.178 | Euless | Texas | 32.8371,-97.0820 | 76040 |
| 46 | 75.226.69.137 | Euless | Texas | 32.8371,-97.0820 | 76040 |
| 47 | 75.226.70.173 | Euless | Texas | 32.8371,-97.0820 | 76040 |
| 48 | 75.226.75.123 | Southfield | Michigan | 42.4734,-83.2219 | 48086 |
| 49 | 75.226.76.151 | Southfield | Michigan | 42.4734,-83.2219 | 48086 |
| 50 | 75.226.76.25 | Southfield | Michigan | 42.4734,-83.2219 | 48086 |
| 51 | 75.226.83.131 | New Berlin | Wisconsin | 42.9764,-88.1084 | 53151 |
| 52 | 75.226.85.82 | New Berlin | Wisconsin | 42.9764,-88.1084 | 53151 |
| 53 | 75.226.94.3 | Omaha | Nebraska | 41.2563,-95.9404 | 68101 |
| 54 | 75.232.66.97 | Yonkers | New York | 40.9304,-73.8979 | 10702 |
| 55 | 75.236.195.86 | Alpharetta | Georgia | 34.0754,-84.2941 | 30009 |
| 56 | 75.236.210.149 | Alpharetta | Georgia | 34.0754,-84.2941 | 30009 |
| 57 | 75.236.224.7 | Alpharetta | Georgia | 34.0754,-84.2941 | 30009 |
| 58 | 75.236.229.174 | Alpharetta | Georgia | 34.0754,-84.2941 | 30009 |
| 59 | 75.236.244.20 | Windsor | Connecticut | 41.8526,-72.6437 | 06006 |
| 60 | 75.239.144.182 | Houston | Texas | 29.7633,-95.3633 | 77002 |
| 61 | 97.147.0.53 | Schertz | Texas | 29.5522,-98.2697 | 78154 |
| 62 | 97.147.101.112 | Baton Rouge | Louisiana | 30.4433,-91.1875 | 70801 |
| 63 | 97.147.117.40 | Baton Rouge | Louisiana | 30.4433,-91.1875 | 70801 |
| 64 | 97.147.45.77 | Schertz | Texas | 29.5522,-98.2697 | 78154 |
| 65 | 97.147.57.180 | Schertz | Texas | 29.5522,-98.2697 | 78154 |
| 66 | 97.147.75.156 | Baton Rouge | Louisiana | 30.4433,-91.1875 | 70801 |
| 66 | 97.147.91.61 | Baton Rouge | Louisiana | 30.4433,-91.1875 | 70801 |
Summary by Location
| State | City | Count |
|---|---|---|
| Georgia | Alpharetta | 14 |
| California | Rocklin | 9 |
| North Carolina | Charlotte | 9 |
| Texas | Schertz | 5 |
| Louisiana | Baton Rouge | 4 |
| California | Sunnyvale | 4 |
| Texas | Euless | 3 |
| Michigan | Southfield | 3 |
| California | Vista | 2 |
| Nevada | North Las Vegas | 2 |
| Oklahoma | Tulsa | 2 |
| Wisconsin | New Berlin | 2 |
| Indiana | Indianapolis | 2 |
| Colorado | Aurora | 1 |
| Connecticut | Windsor | 1 |
| Nebraska | Omaha | 1 |
| New York | Yonkers | 1 |
| Texas | Houston | 1 |
| Virginia | Richmond | 1 |
Total: 67 instances across 19 cities in 15 states — all on Verizon Business (AS6167)
| Package | Description |
|---|---|
| com.flocksafety.android.videorecording | Video recording service |
| com.flocksafety.android.streaming | Video streaming service |
| com.flocksafety.android.pipeline | Video processing pipeline |
| com.flocksafety.android.cameraconfig | Camera configuration / admin portal |
| com.flocksafety.android.peripheral | Peripheral device control |
| com.flocksafety.android.peripheral.impl | Peripheral implementation |
| com.flocksafety.android.peripheral.lib | Peripheral library |
| com.flocksafety.android.sambuca.lib | Auth0 authentication library |
| com.flocksafety.android.sensorservice | Sensor data collection |
| com.flocksafety.android.medallalight | Crash / log collection |
| Package | Description |
|---|---|
| com.android.server.adb | ADB debugging service |
| com.android.server | System server |
| com.android.providers.media | Media provider |
| com.android.internal.util | Internal utilities |
| com.android.phone | Phone / telephony |
| com.android.shell | Shell service |
| com.android.printspooler | Print spooler |
| com.android.statementservice | Statement service |
| com.android.cellbroadcastreceiver.module | Cell broadcast |
| com.android.remoteprovisioner | Remote provisioning |
| com.android.adservices | Ad services |
| com.android.wifi | WiFi service |
| com.android.tethering | Tethering |
| com.android.cellbroadcast | Cell broadcast |
| com.android.mediaprovider | Media provider |
| com.android.ondevicepersonalization | Personalization |
| Service Tag | Description |
|---|---|
| SpeedPourerService | FRP / port forwarding service |
| FlockCameraManager | Camera management |
| FlockBatteryStationHAL | Battery station HAL |
| Phone Home Service | Telemetry / status reporting |
| Auth0ServiceController | Auth0 authentication |
| HpnotiqService | Validation / test service |
| AdbDebuggingManager | ADB debugging |
| DiskStatsService | Disk statistics |
| BatteryExternalStatsWorker | Battery stats |
| AmbientContextManagerService | Ambient context |
| AutofillManagerService | Autofill |
| GnssLocationProvider | GPS location |
| TelephonyManager | Telephony |
| Reference | Context |
|---|---|
| android.os.Binder.doDump | Binder dump operations |
| android.os.Binder.dump | Binder dump |
| android.os.Binder.onTransact | Binder transaction handler |
| android.os.Binder.execTransactInternal | Transaction execution |
| android.os.Binder.execTransact | Transaction execution |
| android.debug.IAdbManager$Stub.onTransact | ADB manager AIDL |
| IPeripheralServiceInterface$Stub.onTransact | Peripheral service AIDL |
| IAuth0KeyServiceInterface$Stub$Proxy | Auth0 service proxy |
| hw-BpHwBinder | Hardware binder proxy |
| JavaBinder | Java binder exceptions |
| Class | Method | File:Line |
|---|---|---|
| PowerModuleDevice | readWithSocket() | PowerModuleDevice.kt:228 |
| PowerModuleDevice | read() | PowerModuleDevice.kt:93 |
| PeripheralControllerPicard | getPpmValues() | PeripheralControllerPicard.kt:475 |
| PeripheralService$binder$1 | getPpmValues() | PeripheralService.kt:159 |
| IPeripheralServiceInterface$Stub | onTransact() | IPeripheralServiceInterface.java:389 |
| SensorRecorderTask$sendPowerSources$1 | invokeSuspend() | :694 |
| Class | Method | File:Line |
|---|---|---|
| AdbDebuggingManager | dump() | AdbDebuggingManager.java:1776 |
| AdbService | dump() | AdbService.java:604 |
| DiskStatsService | reportCachedValues() | DiskStatsService.java:209 |
| DiskStatsService | dump() | DiskStatsService.java:147 |
| MediaProvider | dump() | MediaProvider.java:10678 |
| FastPrintWriter | flushBytesLocked() | FastPrintWriter.java:354 |
| Logging | dumpPersistentFile() | Logging.java:158 |
| IoBridge | open() | IoBridge.java:574 |
| FileInputStream | <init> | FileInputStream.java:160 |
| FileUtils | readTextFile() | FileUtils.java:637 |
| RuntimeInit$MethodAndArgsCaller | run() | RuntimeInit.java:548 |
| ZygoteInit | main() | ZygoteInit.java:942 |
| Component | Description |
|---|---|
| vendor.qti.media.c2@1.0-service | Qualcomm media codec service |
| android.system.suspend@1.0-service | System suspend service |
| QC2Interface | Qualcomm Codec2 interface |
| QC2ImageConverter | Image conversion |
| QC2V4l2Driver | V4L2 video driver |
| CCodecBufferChannel | Codec buffer channel |
| MPEG4Writer | MP4 file writer |
| diagcommd | Qualcomm diagnostics daemon |
| Diag_Lib | Diagnostics library |
| Tag | Category |
|---|---|
| EncodeNode | Video encoding |
| AVFileWriter-Discarded | File writing |
| NativeMuxer | Media muxing |
| DiskManager | Storage management |
| flock-rtsp | RTSP streaming |
| MPEG4Writer | MP4 writing |
| QC2ImageConverter | Image conversion |
| NEncoder2-Discarded | Encoder |
| CCodecBufferChannel | Codec buffers |
| Codec2-OutputBufferQueue | Output queue |
| PipelineWatcher | Pipeline monitoring |
| AssetDetector | Asset detection |
| FrpTunnel | FRP tunnel logs |
| RTSP_CLN | RTSP client |
| CrashPackUtil | Crash reporting |
| goat_collector | Memory monitoring |
| dumpstate | System dump |
| SDM | Display manager |
| BufferPoolAccessor2.0 | Buffer pool |
| Path | Content |
|---|---|
| /media/ufs/media/pipeline/250626900E5/ | Video recordings |
| /media/ramdisk/250626900E5/hls/ | HLS stream segments |
| /data/misc/adb/adb_keys | ADB authorization keys |
| /data/misc/adb/adb_temp_keys.xml | Temporary ADB keys |
| /data/system/diskstats_cache.json | Disk statistics |
| /data/user_de/0/com.android.shell/files/bugreports/ | Bug reports |
| /dev/video33 | Video device |
You can download two pieces of the log files that were exposed as shown below HERE
END TRANSMISSION