Stolen Police Logins Expose Flock Cameras to Hackers
▼ Summary
– Lawmakers are urging the FTC to investigate Flock Safety for cybersecurity vulnerabilities in its license plate scanning camera network.
– The investigation focuses on Flock’s failure to require multi-factor authentication, which could allow unauthorized access with just a password.
– Hackers or foreign spies could access billions of license plate photos and law enforcement data if passwords are compromised.
– Evidence shows some Flock law enforcement logins have been stolen and shared online, including on Russian cybercrime forums.
– Flock now enables MFA by default for new customers, but approximately 3% of law enforcement agencies have not activated it.
A major security vulnerability has been identified within the Flock Safety license plate scanning network, prompting federal lawmakers to demand an investigation. Senators are urging the Federal Trade Commission to examine why the company does not mandate multi-factor authentication for all law enforcement users, leaving sensitive data open to potential exploitation.
In a formal letter to FTC Chairman Andrew Ferguson, Senator Ron Wyden and Representative Raja Krishnamoorthi detailed their concerns about Flock’s security practices. They emphasized that while the company provides multi-factor authentication as an option, it remains voluntary for police departments to activate this critical security layer. The legislators confirmed that Flock acknowledged this policy during congressional discussions last October.
The security implications are significant. Should hackers or foreign operatives obtain an officer’s login credentials, they could penetrate restricted sections of Flock’s platform. This unauthorized access would allow them to search through billions of license plate photographs captured by cameras installed nationwide, many funded by taxpayer dollars.
Flock maintains one of America’s most extensive automated license plate recognition systems, serving over 5,000 police agencies alongside various private entities. These cameras continuously photograph passing vehicles, creating a massive database that authorized personnel can query to trace vehicle movements across different locations and timeframes.
Evidence presented by the lawmakers indicates this isn’t merely a theoretical risk. Cybersecurity firm Hudson Rock provided data showing that login credentials from some Flock law enforcement customers had previously been compromised and circulated online. Adding to these concerns, independent security researcher Benn Jordan supplied a screenshot from Russian cybercrime forums where access to Flock accounts was reportedly being sold.
Flock responded to inquiries by sharing a letter from Chief Legal Officer Dan Haley, who stated the company began enabling multi-factor authentication by default for new customers starting November 2024. Haley noted that approximately 97% of law enforcement clients have currently activated this security feature.
This statistic implies that roughly 3% of police agencies, potentially dozens of departments, continue operating without multi-factor protection. Haley indicated these organizations have their own specific reasons for declining the enhanced security, though no detailed explanation was provided.
Flock spokesperson Holly Beilin declined to specify how many law enforcement customers remain without multi-factor authentication, whether any federal agencies are among them, or why the company doesn’t require this fundamental security measure across all accounts.
The security concerns follow earlier reports from 404 Media revealing that the U.S. Drug Enforcement Administration used a local officer’s Flock credentials without their knowledge to search for someone suspected of immigration violations. Following this security breach, the involved police department stated it had activated multi-factor authentication.
(Source: TechCrunch)