Lawmakers say stolen police logins are exposing Flock surveillance cameras to hackers

Lawmakers person called connected the Federal Trade Commission to analyse Flock Safety, a institution that operates licence sheet scanning cameras, for allegedly failing to instrumentality cybersecurity protections that exposure its camera web to hackers and spies.

In a letter sent by Sen. Ron Wyden (D-OR) and Rep. Raja Krishnamoorthi (D-IL, 8th), the lawmakers impulse FTC Chairman Andrew Ferguson to probe wherefore Flock does not enforce the usage of multi-factor authentication (MFA), a information extortion that prevents malicious entree by idiosyncratic with cognition of the relationship holder’s password.

Wyden and Krishnamoorthi said that portion the institution offers its instrumentality enforcement customers the quality to alteration MFA, “Flock does not necessitate it, which the institution confirmed to Congress successful October,” according to the letter.

Wyden and Krishnamoorthi said that if hackers oregon overseas spies larn of a instrumentality enforcement user’s password, “they tin summation entree to law-enforcement-only areas of Flock’s website and hunt the billions of photos of Americans’ licence plates collected by taxpayer-funded cameras crossed the country.”

Flock operates 1 of the largest networks of cameras and licence sheet readers successful the U.S., providing entree to much than 5,000 constabulary departments, arsenic good arsenic backstage businesses, crossed the country. Flock’s cameras scan the licence plates of passing vehicles truthful that constabulary and national agencies with logins to Flock’s level tin hunt the billions of captured photos and way wherever vehicles person traveled astatine immoderate fixed time.

The lawmakers said that they had recovered grounds that immoderate of Flock’s instrumentality enforcement customers’ logins had been antecedently stolen and shared online, citing information from Hudson Rock, a cybersecurity institution that identifies usernames and passwords stolen by information-stealing malware. 

Independent information researcher Benn Jordan besides provided the lawmakers with a screenshot showing a Russian cybercrime forum allegedly selling entree to Flock logins.

When reached by TechCrunch for comment, Flock shared the company’s effect successful a missive from its main ineligible serviceman Dan Haley, successful which helium says the institution switched connected MFA by default for each caller customers starting successful November 2024, and that 97% of its instrumentality enforcement customers person enabled MFA to date.

That leaves astir 3% of the company’s customers — perchance dozens of instrumentality enforcement agencies — that person declined to power connected MFA, citing “reasons circumstantial to them,” Haley wrote. 

Holly Beilin, a spokesperson for Flock, did not instantly supply a circumstantial fig of instrumentality enforcement customers that person not yet switched connected MFA, accidental if immoderate national agencies are among the remaining customers, oregon for what crushed Flock does not necessitate its customers to power connected the information feature.

404 Media previously reported that the U.S. Drug Enforcement Administration utilized a section constabulary officer’s password to entree Flock’s cameras to hunt for an idiosyncratic suspected of an “immigration violation,” but without the officer’s knowledge. The Palos Heights Police Department said it switched connected multi-factor authentication pursuing the breach.