Uzbekistan’s Nationwide License-Plate Surveillance System Left Publicly Exposed

TL;DR

A national license-plate scanning system in Uzbekistan was discovered accessible on the internet without a password, exposing millions of images and raw video from roadside cameras. The system, run by the country's internal security ministry and built with tech from firms including Maxvision, remains publicly reachable as of the report.

What happened

Security researcher Anurag Sen found a nationwide license-plate surveillance platform in Uzbekistan that was reachable online without authentication. The system, described in its interface as an "intelligence traffic management system" made by Maxvision, contains high-resolution stills and raw video from roughly a hundred roadside cameras across major cities and transit routes. Artifacts in the exposed database indicate it was established in September 2024 and began traffic monitoring in mid-2025. TechCrunch analyzed the content after Sen disclosed the lapse and plotted camera GPS coordinates, locating units in Tashkent, Jizzakh, Qarshi, Namangan and other areas, including rural routes near previously disputed border sections with Tajikistan. The platform stores zoomed photos and 4K video of violations and surrounding vehicles; TechCrunch redacted plates and occupants before publishing. Uzbek authorities and UZCERT did not provide substantive comment, and the system remained accessible at the time of the report.

Why it matters

• Mass surveillance datasets exposed without proper security can reveal the movements of individuals across an entire country.
• Unprotected camera feeds and databases increase the risk of misuse, stalking, or unauthorized analysis of sensitive travel patterns.
• The incident highlights vulnerabilities in large-scale public-security technology deployments supplied by private vendors.
• Similar exposures overseas and in the U.S. underscore that vehicle-tracking infrastructure is a recurring security and privacy concern.

Key facts

• Discovery credited to security researcher Anurag Sen, who shared the lapse with TechCrunch.
• System was exposed online without a password, allowing open access to its contents.
• Database artifacts show setup in September 2024; monitoring began in mid-2025.
• Contains millions of photos and raw camera video, including zoomed-in images and surrounding traffic footage.
• Operated by the Department of Public Security within Uzbekistan's Ministry of Internal Affairs.
• TechCrunch located about a hundred cameras across cities and transit routes, including Tashkent, Jizzakh, Qarshi, Namangan, and rural border routes.
• Cameras and software are associated with vendors such as Maxvision; some camera footage carried a Holowits watermark.
• The exposed web interface includes a dashboard for reviewing violations; TechCrunch redacted identifying details before publication.
• Uzbek government representatives and UZCERT did not provide substantive responses; UZCERT sent an automated acknowledgement.
• The system remained publicly reachable on the web at the time of reporting.

What to watch next

• Whether Uzbekistan's authorities will secure or take the system offline — not confirmed in the source.
• Any evidence that data were copied, downloaded or otherwise exfiltrated by third parties — not confirmed in the source.
• If affected individuals will be notified or what remedies, if any, will be offered — not confirmed in the source.

Quick glossary

• License-plate reader (LPR): A camera and software system that captures images of vehicle license plates and extracts plate numbers for indexing or real-time alerts.
• 4K resolution: A video resolution roughly equivalent to 3840×2160 pixels that provides high-detail imagery useful for identification.
• Dashboard (web interface): A browser-based control panel that lets operators view, search and analyze captured images and video from surveillance systems.
• Database exposure: A security lapse where a data store is reachable without proper authentication or protections, potentially allowing unauthorized access.

Reader FAQ

Who found the exposed system?
Security researcher Anurag Sen discovered the system and shared details with TechCrunch.

Who operates the surveillance platform?
The system is run by the Department of Public Security in Uzbekistan's Ministry of Internal Affairs.

Has the Uzbek government responded or secured the system?
Officials and UZCERT did not provide substantive responses; UZCERT sent only an automated acknowledgement and further remediation was not confirmed in the source.

What kind of data was exposed?
The exposed system included millions of still photos and raw video footage from roadside cameras, plus location data for the cameras.

Across Uzbekistan, a network of about a hundred banks of high-resolution roadside cameras continuously scan vehicles’ license plates and their occupants, sometimes thousands a day, looking for potential traffic violations….

Sources

• Inside Uzbekistan’s nationwide license plate surveillance system
• Security Lapse Exposes Uzbekistan's Nationwide Licence …
• Uzbekistan License Plate Monitoring System Data Leak …
• Sanctioned spyware maker Intellexa had direct access to …

Related posts

• Suspected DDoS Disrupts France’s Postal Services and La Banque Postale
• Crypto Heists Hit Record $2.7B in 2025, Bybit Breach Tops Losses
• John Carreyrou and other authors sue six AI firms over pirated book training