3 months ago
45
Across Uzbekistan, a web of astir a 100 banks of high-resolution roadside cameras continuously scan vehicles’ licence plates and their occupants, sometimes thousands a day, looking for imaginable postulation violations. Cars moving reddish lights; drivers not wearing their seatbelts; and unlicensed vehicles driving astatine night, to sanction a few.
The operator of 1 of the astir surveilled vehicles successful the strategy was tracked implicit six months arsenic helium traveled betwixt the eastbound metropolis of Chirchiq, done the superior Tashkent, and successful the adjacent colony of Eshonguzar, often aggregate times a week.
We cognize this due to the fact that the country’s sprawling licence plate-tracking surveillance strategy has been near exposed to the internet.
Security researcher Anurag Sen, who discovered the information lapse, recovered the licence sheet surveillance strategy exposed online without a password, allowing anyone entree to the information within. It’s not wide however agelong the surveillance strategy has been public, but artifacts from the strategy amusement that its database was acceptable up successful September 2024, and postulation monitoring began successful mid-2025.
The vulnerability offers a uncommon glimpse into however specified nationalist licence sheet surveillance systems work, the information they collect, and however they tin beryllium utilized to way the whereabouts of immoderate 1 of the millions of radical crossed an full country.
The lapse besides reveals the security and privateness risks associated with the wide monitoring of vehicles and their owners, astatine a clip erstwhile the United States is gathering up its nationwide array of licence sheet readers, many of which are provided by surveillance elephantine Flock. Earlier this week, autarkic quality outlet 404 Media reported that Flock near dozens of its ain licence sheet speechmaking cameras publically exposed to the web, allowing a newsman to watch themselves being tracked successful existent time by a Flock camera.
Sen said helium recovered the exposed Uzbek licence sheet surveillance strategy earlier this month, and shared details of the information lapse with TechCrunch. Sen told TechCrunch that the system’s database reveals the real-world locations of the cameras, and contains millions of photos and earthy camera video footage of passing vehicles.
The strategy is tally by the Department of Public Security successful Uzbekistan’s Ministry of Internal Affairs successful Tashkent, which did not respond to emails requesting remark astir the information lapse during December.
Representatives of the Uzbek authorities successful Washington D.C. and New York besides did not respond to TechCrunch’s emails astir the exposure. Uzbekistan’s machine exigency readiness team, UZCERT, did not respond to an alert astir the system, but for an automated reply acknowledging receipt of our email.
The surveillance strategy remains exposed to the web astatine the clip of writing.
The strategy refers to itself arsenic an “intelligence postulation absorption system” by Maxvision, a Shenzhen, China-based shaper of internet-connected postulation technologies, borderline inspection systems, and surveillance products. In a video connected LinkedIn, the institution says its cameras tin grounds the “entire amerciable process,” and tin “display amerciable and passing accusation successful real-time.”
According to its brochure, Maxvision exports its information and surveillance tech to countries crossed the globe, including Burkina Faso, Kuwait, Oman, Mexico, Saudi Arabia, and Uzbekistan.
Image Credits:TechCrunch (screenshot)TechCrunch’s investigation of the information wrong the exposed strategy revealed astatine slightest a 100 cameras located crossed large Uzbek cities, arsenic good arsenic engaged junctions and different important transit routes.
We plotted the GPS coordinates of the cameras, and recovered banks of licence sheet readers successful Tashkent, the cities of Jizzakh and Qarshi successful the south, and Namangan successful the east. Some of the cameras are located successful agrarian areas, specified arsenic connected routes adjacent the once-disputed parts of the borders betwixt Uzbekistan and Tajikistan.
In Tashkent, the country’s largest city, the cameras tin beryllium recovered astatine much than a twelve locations. Some of these cameras are adjacent disposable connected Google Street View.
The cameras, immoderate which watermark their footage with the sanction of the Singapore camera shaper Holowits, seizure video footage and inactive images of vehicles violating rules successful 4K resolution.
Image Credits:TechCrunch (screenshot)The exposed strategy allows entree to its web-based interface, which contains a dashboard allowing operators to analyse footage of postulation violations. The dashboard contains zoomed-in photos and the earthy video footage of violations, arsenic good arsenic surrounding vehicles. (TechCrunch redacted the licence plates and conveyance occupants anterior to publication.)
Image Credits:TechCrunch (screenshot)The vulnerability of Uzbekistan’s nationalist licence sheet speechmaking strategy is the latest illustration of a information lapse involving roadworthy surveillance cameras.
Earlier this year, Wired reported that much than 150 licence sheet readers astir the United States and the real-time conveyance information they cod were exposed to the net without immoderate security.
Exposed licence sheet readers are not a caller phenomena. In 2019, TechCrunch reported that over a 100 licence sheet readers were searchable and accessible from the internet, allowing anyone to entree the information within. Some had been exposed for years, contempt information researchers informing instrumentality enforcement agencies that these systems could beryllium accessed from the web.
To securely interaction this reporter, you tin scope retired utilizing Signal via the username: zackwhittaker.1337
English (US) ·