Across Uzbekistan, a network of about a hundred banks of high-resolution roadside cameras continuously scan vehicles’ license plates and their occupants, sometimes thousands a day, looking for potential traffic violations. Cars running red lights; drivers not wearing their seatbelts; and unlicensed vehicles driving at night, to name a few.
The driver of one of the most surveilled vehicles in the system was tracked over six months as he traveled between the eastern city of Chirchiq, through the capital Tashkent, and in the nearby settlement of Eshonguzar, often multiple times a week.
We know this because the country’s sprawling license plate-tracking surveillance system has been left exposed to the internet.
Security researcher Anurag Sen, who discovered the security lapse, found the license plate surveillance system exposed online without a password, allowing anyone access to the data within. It’s not clear how long the surveillance system has been public, but artifacts from the system show that its database was set up in September 2024, and traffic monitoring began in mid-2025.
The exposure offers a rare glimpse into how such national license plate surveillance systems work, the data they collect, and how they can be used to track the whereabouts of any one of the millions of people across an entire country.
The lapse also reveals the security and privacy risks associated with the mass monitoring of vehicles and their owners, at a time when the United States is building up its nationwide array of license plate readers, many of which are provided by surveillance giant Flock. Earlier this week, independent news outlet 404 Media reported that Flock left dozens of its own license plate reading cameras publicly exposed to the web, allowing a reporter to watch themselves being tracked in real time by a Flock camera.
Sen said he found the exposed Uzbek license plate surveillance system earlier this month, and shared details of the security lapse with TechCrunch. Sen told TechCrunch that the system’s database reveals the real-world locations of the cameras, and contains millions of photos and raw camera video footage of passing vehicles.
The system is run by the Department of Public Security in Uzbekistan’s Ministry of Internal Affairs in Tashkent, which did not respond to emails requesting comment about the security lapse during December.
Representatives of the Uzbek government in Washington D.C. and New York also did not respond to TechCrunch’s emails about the exposure. Uzbekistan’s computer emergency readiness team, UZCERT, did not respond to an alert about the system, except for an automated reply acknowledging receipt of our email.
The surveillance system remains exposed to the web at the time of writing.
The system refers to itself as an “intelligence traffic management system” by Maxvision, a Shenzhen, China-based maker of internet-connected traffic technologies, border inspection systems, and surveillance products. In a video on LinkedIn, the company says its cameras can record the “entire illegal process,” and can “display illegal and passing information in real-time.”
According to its brochure, Maxvision exports its security and surveillance tech to countries across the globe, including Burkina Faso, Kuwait, Oman, Mexico, Saudi Arabia, and Uzbekistan.
TechCrunch’s analysis of the data inside the exposed system revealed at least a hundred cameras located across major Uzbek cities, as well as busy junctions and other important transit routes.
We plotted the GPS coordinates of the cameras, and found banks of license plate readers in Tashkent, the cities of Jizzakh and Qarshi in the south, and Namangan in the east. Some of the cameras are located in rural areas, such as on routes near the once-disputed parts of the borders between Uzbekistan and Tajikistan.
In Tashkent, the country’s largest city, the cameras can be found at more than a dozen locations. Some of these cameras are even visible on Google Street View.
The cameras, some which watermark their footage with the name of the Singapore camera maker Holowits, capture video footage and still images of vehicles violating rules in 4K resolution.
The exposed system allows access to its web-based interface, which contains a dashboard allowing operators to examine footage of traffic violations. The dashboard contains zoomed-in photos and the raw video footage of violations, as well as surrounding vehicles. (TechCrunch redacted the license plates and vehicle occupants prior to publication.)
The exposure of Uzbekistan’s national license plate reading system is the latest example of a security lapse involving road surveillance cameras.
Earlier this year, Wired reported that more than 150 license plate readers around the United States and the real-time vehicle data they collect were exposed to the internet without any security.
Exposed license plate readers are not a new phenomena. In 2019, TechCrunch reported that over a hundred license plate readers were searchable and accessible from the internet, allowing anyone to access the data within. Some had been exposed for years, despite security researchers warning law enforcement agencies that these systems could be accessed from the web.
To securely contact this reporter, you can reach out using Signal via the username: zackwhittaker.1337
