A network of roughly 100 high-resolution license plate readers spanning Uzbekistan's major cities and border routes has been left completely exposed to the internet. Anyone with a browser could access millions of vehicle photos, raw 4K video footage, and GPS coordinates of every camera location—all without entering a single password. Security researcher Anurag Sen discovered the breach and shared findings with TechCrunch. The exposure marks the precise moment when nation-state surveillance infrastructure, long treated as hermetically sealed from public access, becomes an open book. For enterprise security teams, government agencies designing similar systems, and policymakers watching the U.S. build its own license plate reader network, this inflection point demands immediate architecture reassessment.

Across Uzbekistan, a hundred banks of high-resolution roadside cameras were supposed to work like a sealed surveillance apparatus. Traffic enforcement, vehicle tracking, red light detection—all of it feeding into a centralized database that only authorized Ministry of Internal Affairs operators could access. The system was called an 'intelligence traffic management system,' built by Maxvision, a Shenzhen-based surveillance technology vendor, and deployed mid-2025. By all conventional security assumptions, that data—millions of photos, vehicle occupant captures, real-time video footage—should have remained locked behind authentication walls.

Then Anurag Sen found it sitting completely open on the internet.

No passwords. No API tokens. No access controls. Just a web dashboard exposing the entire operational backbone of the nation's vehicle surveillance network. TechCrunch's investigation reveals what's inside: the real-world GPS coordinates of every camera location. Four thousand resolution images and video of traffic violations. Six months of tracking data on individual vehicles moving through Tashkent, Chirchiq, Eshonguzar—showing one driver's movements across the country sometimes multiple times weekly.

This isn't a theoretical vulnerability. This is infrastructure failure at scale.

The timing matters because the United States is currently building something architecturally identical. Hundreds of license plate readers operated by local law enforcement, many provided by Flock Safety, deployed across American cities with minimal oversight and shaky security. Just this week—the same week Uzbekistan's exposure surfaced—independent news outlet 404 Media reported that Flock left dozens of its own license plate reading cameras publicly exposed to the web, allowing reporters to watch themselves being tracked in real time by a Flock camera. A reporter literally followed the live footage of their own movement through a city.

This is not accidental. This is pattern.

Back in 2019, TechCrunch documented over a hundred license plate readers across the United States that were searchable and accessible from the internet. Some had been exposed for years despite explicit security researcher warnings to law enforcement agencies. The difference then was scale and awareness. Uzbekistan's exposure is cleaner, more complete, more revealing of how these systems actually work operationally.

When you access Uzbekistan's exposed dashboard, you see what a production surveillance infrastructure looks like stripped of its security theater. The system reveals the architecture's core assumption: centralization equals security. Put all the cameras under one database. One ministry. One access point. Make it official enough and surely it won't leak.

Except it always does.

Maxvision's 'intelligence traffic management system' was built for what the vendor calls real-time 'illegal process' recording and display. The term itself is telling—surveillance framed as traffic enforcement, but with the capability to track any individual across an entire country indefinitely. Maxvision exports these systems globally: Burkina Faso, Kuwait, Oman, Mexico, Saudi Arabia, Uzbekistan. Every installation carries the same architectural risk. Every centralized surveillance network built on the assumption that air-gapping it from the internet is sufficient protection.

Uzbekistan's government has not responded. The Ministry of Internal Affairs in Tashkent didn't reply to TechCrunch's inquiries. Representatives in Washington and New York stayed silent. The computer emergency response team, UZCERT, sent only an automated acknowledgment. As of publication, the system remained exposed.

Here's what's actually shifting: The conversation around surveillance infrastructure is moving from 'Is this a threat?' to 'How are we making this worse?' Centralized systems fail catastrophically because they concentrate risk. When the database gets exposed, it's not one camera or one city—it's an entire nation's movement data. The vendor assumptions about security didn't account for human error, insider threats, misconfiguration, or the simple fact that any system connected to the internet eventually becomes accessible.

For enterprise decision-makers evaluating centralized surveillance platforms, the inflection point is now. You can no longer assume that 'official' or 'government-grade' means secure. For cybersecurity professionals, Uzbekistan is the smoking gun proving that license plate infrastructure vulnerability is systemic, not accidental. For investors in surveillance technology, this is the moment when liability becomes undeniable. For U.S. policymakers watching Flock's expansion and local law enforcement buying license plate readers without understanding the architecture—this is the moment that data should drive policy.

The next threshold to watch: government response. Will Uzbekistan secure the system? Will the U.S. establish minimum security requirements for license plate readers? Will surveillance vendors finally build systems assuming they will leak? The data suggests none of this happens until forced. TechCrunch's publication of this finding is the forcing function. Everything that happens next—or doesn't happen—is a choice.

Uzbekistan's exposed surveillance infrastructure marks the transition moment where centralized government systems stop being theoretical risks and become operational disasters. For enterprise decision-makers and government agencies building similar platforms, the window to implement security-first architecture closes now. The pattern is unmistakable: every centralized license plate surveillance network eventually leaks. Cybersecurity professionals should treat Uzbekistan as a case study in architectural failure, not an anomaly. Investors in surveillance technology face liability questions that won't go away. The next threshold to monitor is government response—both in Uzbekistan (will the system be secured?) and the United States (will policy finally catch infrastructure reality?). Until governments establish minimum security standards for surveillance infrastructure, assume any centralized system will eventually be exposed. The question is no longer if, but when.