Across Uzbekistan, a network of about 100 high-definition roadside cameras continuously scan vehicle license plates and occupants, sometimes thousands a day, looking for potential traffic violations. A car running a red light. Drivers not wearing seat belts. Some examples include unauthorized vehicles driving at night.
The driver of one of the most monitored vehicles in the system was tracked for six months, traveling from the eastern city of Chirchik through the capital Tashkent and between the nearby settlements of Eshhonguzal, often multiple times a week.
We know this because the country’s sprawling license plate tracking and surveillance system remains exposed to the internet.
Security researcher Anurag Sen, who discovered the security flaw, discovered that the license plate surveillance system was posted online without a password, allowing anyone to access the data inside. It is not clear how long this surveillance system was open to the public, but system artifacts indicate that the database was built in September 2024 and traffic monitoring began in mid-2025.
The revelations offer a rare glimpse into how such a national license plate surveillance system works, the data it collects, and how it can be used to track the whereabouts of millions of people across the country.
The blunder also highlights the security and privacy risks associated with mass surveillance of vehicles and their owners, much of which is provided by surveillance giant Flock, as the U.S. builds out a nationwide fleet of license plate readers. Earlier this week, independent news outlet 404 Media reported that Flock had left dozens of its license plate reading cameras publicly available on the web, allowing reporters to watch themselves being tracked in real time by Flock’s cameras.
Sen said he discovered Uzbekistan’s license plate surveillance system had been exposed earlier this month and shared details of the security flaw with TechCrunch. Sen told TechCrunch that the system’s database reveals real-world camera locations and includes millions of photos and raw camera video footage of passing vehicles.
The system is operated by Uzbekistan’s interior ministry’s public security department in Tashkent, which did not respond to an email seeking comment on the security lapses in December.
Representatives of Uzbekistan’s government in Washington, D.C., and New York also did not respond to TechCrunch’s emails regarding the disclosure. Uzbekistan’s Computer Emergency Response Team UZCERT did not respond to alerts about the system, other than an automatic reply confirming receipt of our email.
As of this writing, the monitoring system remains exposed to the web.
The system calls itself an “intelligent traffic management system” by Maxvision, a Shenzhen, China-based manufacturer of internet-connected traffic technology, border inspection systems, and surveillance products. In a video on LinkedIn, the company says its cameras can record “the entire illegal process” and “view illegal and passing information in real time.”
According to the brochure, MaxVision exports its security and surveillance technology to countries around the world including Burkina Faso, Kuwait, Oman, Mexico, Saudi Arabia and Uzbekistan.
TechCrunch analyzed the data in the exposed system and found that at least 100 cameras were installed in Uzbekistan’s major cities, busy junctions and other important transportation routes.
We plotted the cameras’ GPS coordinates and found rows of license plate readers in Tashkent, the cities of Jizakh and Karshi in the south, and Namangan in the east. Some of the cameras are installed in rural areas, including along routes near areas of former conflict on the border between Uzbekistan and Tajikistan.
Cameras are installed at more than a dozen locations in Tashkent, the country’s largest city. Some of these cameras also appear on Google Street View.
Some cameras watermark the footage with the name of Horowitz, a Singaporean camera manufacturer, and capture video footage and still images of non-compliant vehicles in 4K resolution.
The exposed system provides access to a web-based interface that includes a dashboard that allows operators to examine footage of traffic violations. The dashboard displays close-up photos and live video footage of violations and surrounding vehicles. (TechCrunch redacted the license plate and vehicle occupants before publication.)
The exposure of Uzbekistan’s national license plate reading system is the latest example of security lapses related to road surveillance cameras.
Earlier this year, Wired reported that more than 150 license plate readers across the United States and the real-time vehicle data they collected were exposed to the internet without any security.
Exposed license plate readers are not a new phenomenon. In 2019, TechCrunch reported that over 100 license plate readers are searchable and accessible from the internet, allowing anyone to access the data inside. Some have been exposed for years, even though security researchers have warned law enforcement that these systems could be accessed from the web.
To contact this reporter securely, use Signal using username zackwhittaker.1337.
Source link
