Interior Ministry responds to reports on alleged vulnerabilities in road camera platform

TechCrunch earlier reported that Uzbekistan operates an extensive nationwide network of high-resolution roadside cameras capable of scanning license plates and vehicle occupants, and that parts of the system were allegedly accessible on the internet without password protection. According to the outlet, the exposure was discovered by security researcher Anurag Sen, who said the database allowed unrestricted access to millions of images and videos, detailed vehicle movements, and precise geographic coordinates of camera locations. The system was described as an “intelligent traffic management system” developed by Shenzhen-based Maxvision and operated by the Department of Public Security under the Interior Ministry.

In a statement, the Interior Ministry denied these allegations, emphasizing that access to traffic violation materials is strictly limited. According to the ministry, photos and videos recorded by road cameras can only be viewed via a unique direct link provided to the offender and are not publicly accessible.

The ministry said technical devices used for photo and video recording of traffic violations across the country are registered by entrepreneurs and other entities, while the data collected by these cameras are transmitted to the “Administrative Practice” module of the Unified Automated Information System of the Road Safety Service.

“All systems have undergone a three-stage cybersecurity assessment. Security is guaranteed,” the Interior Ministry said, stressing that the platforms comply with established information security requirements.

Under current regulations, the “Administrative Practice” module must include a standardized set of data for each violation: three photographs of the vehicle at the moment of the offense – showing the general situation, a close-up of the vehicle, and its license plate – as well as a 6–10 second video recording, the date and time of the violation accurate to the minute, the address and GPS coordinates of the location, and the vehicle’s speed in kilometers per hour.

Offenders can view photos and videos related to their case on cloud.yhxx.uz via a dedicated page that does not require entering a username or password. Access is provided through a unique direct link embedded as a QR code in the fine notice issued by the Road Safety Service. Citizens can obtain information only about a specific violation, either through the QR code or via mobile applications such as Road24 and Saferoad.

Addressing the TechCrunch report directly, the Interior Ministry confirmed that its Cybersecurity Center received a letter from TechCrunch journalist Zack Whittaker regarding alleged vulnerabilities on cloud.yhxx.uz and claims that personal data had been left publicly accessible. The ministry said it responded that no such vulnerabilities or exposed personal data were identified.

The press service added that no formal complaints regarding vulnerabilities in the photo and video enforcement system have been registered with either the Interior Ministry or the Road Safety Service. Experts who reviewed the platform’s security mechanisms confirmed its compliance with established standards, the ministry said.

Information about the locations of road cameras, the Interior Ministry noted, is available from open sources and is regularly updated.