Across Uzbekistan, a network of about a hundred banks of high-resolution roadside cameras constantly scan the license plates of vehicles and their occupants, sometimes thousands a day, looking for potential traffic violations. Cars running red lights, drivers not wearing their seat belts and unlicensed vehicles driving at night, to name a few.
The driver of one of the system’s most closely watched vehicles was monitored for six months as he traveled between the eastern city of Chirchiq, via the capital Tashkent, and the nearby settlement of Eshonguzar, often several times a week.
We know this because the country’s extensive surveillance system for tracking license plates has been left exposed online.
Security researcher Anurag Senwho discovered the security flaw, found the license plate surveillance system exposed online without a password, allowing anyone to access the data inside. It is unclear how long the surveillance system has been public, but artifacts from the system show that its database was created in September 2024 and traffic monitoring began in mid-2025.
The report offers a rare look at how such national license plate surveillance systems work, the data they collect and how they can be used to track the whereabouts of any of the millions of people across an entire country.
The omission also exposes the security and privacy risks associated with mass surveillance of vehicles and their owners as the United States rolls out its array of license plate readers nationwide, many of which are provided by tracking giant Flock. Earlier this week, independent news outlet 404 Media reported that Flock left dozens of its own license plate cameras publicly exposed online, allowing a reporter to they watch themselves being watched in real time from a Flock camera.
Shen said he found Uzbekistan’s exposed license plate surveillance system earlier this month and shared details of the security flaw with TechCrunch. Sen told TechCrunch that the system’s database reveals the actual locations of the cameras and contains millions of photos and raw camera video of passing vehicles.
The system is run by the Public Security Department of the Uzbek Interior Ministry in Tashkent, which did not respond to emails seeking comment about the security breach in December.
Uzbek government representatives in Washington, DC and New York also did not respond to TechCrunch’s emails about the report. Uzbekistan’s computer emergency preparedness team, UZCERT, did not respond to an alert about the system, except for an automated response that acknowledged receipt of our email.
The surveillance system remains exposed on the web at the time of writing.
The system is billed as an “information traffic management system” by Maxvision, a Shenzhen, China-based manufacturer of Internet-connected traffic technologies, border inspection systems and surveillance products. In a video on LinkedInthe company says its cameras can record “the entire illegal process” and can “display illegal and transmission information in real time.”
According to its brochureMaxvision exports its security and surveillance technology to countries around the world including Burkina Faso, Kuwait, Oman, Mexico, Saudi Arabia and Uzbekistan.
TechCrunch’s analysis of data inside the exposed system revealed at least a hundred cameras located in major Uzbek cities, as well as busy intersections and other important transit routes.
We plotted the GPS coordinates of the cameras and found banks of license plate readers in Tashkent, the cities of Jizzakh and Qarshi in the south, and Namangan in the east. Some of the cameras are located in rural areas, such as on tracks near the sometimes disputed parts of the border between Uzbekistan and Tajikistan.
In Tashkent, the country’s largest city, cameras are located in more than a dozen locations. Some of these cameras are even visible on Google Street View.
The cameras, some of which watermark their footage with the name of Singaporean camera maker Holowits, record videos and photos of rule-breaking vehicles in 4K resolution.
The exposed system allows access to the web-based interface, which contains a dashboard that allows operators to review footage of traffic violations. The dashboard contains zoomed photos and raw video of violations, as well as surrounding vehicles. (TechCrunch redacted the vehicle’s license plates and occupants prior to publication.)
The exposure of Uzbekistan’s national license plate reading system is the latest example of a security lapse involving road surveillance cameras.
Earlier this year, Wired reported that more than 150 license plate readers in the United States and the real-time vehicle data they collect were exposed online without any security.
Exposed license plate readers are not a new phenomenon. In 2019, TechCrunch reported that over a hundred license plate readers were accessible and accessible from the internet, allowing anyone to access the data. Some had has been on display for yearsdespite security researchers warning law enforcement agencies that these systems could be accessed from the web.
To contact this reporter securely, you can contact using Signal via username: zackwhittaker.1337
