Legislators have urged the Federal Trade Commission to look into Flock Safety, a company that manages license plate recognition cameras, over claims that it has not put in place adequate cybersecurity measures, leaving its camera system open to potential cyberattacks and surveillance.
In a letter from Sen. Ron Wyden (D-OR) and Rep. Raja Krishnamoorthi (D-IL, 8th), the lawmakers ask FTC chairman Andrew Ferguson to investigate why Flock does not mandate multi-factor authentication (MFA), a security step that helps block unauthorized access even if someone knows the account password.
Wyden and Krishnamoorthi noted that although Flock allows law enforcement clients to activate MFA, “Flock does not make it compulsory, which the company acknowledged to Congress in October,” as stated in their letter.
They also warned that if cybercriminals or foreign intelligence agents obtain a law enforcement user’s password, “they could access restricted sections of Flock’s website and sift through billions of images of Americans’ license plates collected by cameras funded by taxpayers nationwide.”
Flock runs one of the country’s largest networks of surveillance cameras and license plate readers, serving over 5,000 police departments and private organizations across the U.S. The company’s cameras record license plates of passing vehicles, enabling law enforcement and federal agencies with Flock accounts to search through billions of images and trace vehicle movements at any time.
The lawmakers reported finding proof that login credentials for some of Flock’s law enforcement clients had previously been compromised and posted online, referencing information from Hudson Rock, a cybersecurity firm that tracks credentials stolen by malware.
Benn Jordan, an independent security analyst, also gave the lawmakers a screenshot that appeared to show a Russian cybercrime forum advertising access to Flock accounts for sale.
When TechCrunch contacted Flock for a statement, the company provided a letter from its chief legal officer Dan Haley, stating that as of November 2024, MFA is now enabled by default for all new customers, and that 97% of law enforcement clients have activated MFA so far.
This means about 3% of Flock’s clients — possibly including several law enforcement agencies — have chosen not to enable MFA, for reasons specific to their organizations, according to Haley.
Flock spokesperson Holly Beilin did not immediately specify exactly how many law enforcement clients have yet to turn on MFA, nor did she clarify whether any federal agencies are among those, or explain why Flock does not require all customers to use this security measure.
As previously covered by 404 Media, the U.S. Drug Enforcement Administration used a local police officer’s credentials to access Flock’s cameras and search for a person suspected of an “immigration violation,” without the officer’s awareness. The Palos Heights Police Department reported that it enabled multi-factor authentication after this incident.
