Lawmakers have known as on the Federal Commerce Fee to analyze Flock Security, an organization that operates license plate scanning cameras, for allegedly failing to implement cybersecurity protections that expose its digicam community to hackers and spies.
In a letter despatched by Sen. Ron Wyden (D-OR) and Rep. Raja Krishnamoorthi (D-IL, eighth), the lawmakers urge FTC Chairman Andrew Ferguson to probe why Flock doesn’t implement the usage of multi-factor authentication (MFA), a security safety that forestalls malicious entry by somebody with information of the account holder’s password.
Wyden and Krishnamoorthi mentioned that whereas the corporate affords its legislation enforcement clients the flexibility to allow MFA, “Flock doesn’t require it, which the corporate confirmed to Congress in October,” based on the letter.
Wyden and Krishnamoorthi mentioned that if hackers or overseas spies study of a legislation enforcement consumer’s password, “they’ll achieve entry to law-enforcement-only areas of Flock’s web site and search the billions of images of People’ license plates collected by taxpayer-funded cameras throughout the nation.”
Flock operates one of many largest networks of cameras and license plate readers within the U.S., offering entry to greater than 5,000 police departments, in addition to non-public companies, throughout the nation. Flock’s cameras scan the license plates of passing automobiles in order that police and federal companies with logins to Flock’s platform can search the billions of captured images and observe the place automobiles have traveled at any given time.
The lawmakers mentioned that they’d discovered proof that a few of Flock’s legislation enforcement clients’ logins had been beforehand stolen and shared on-line, citing knowledge from Hudson Rock, a cybersecurity firm that identifies usernames and passwords stolen by information-stealing malware.
Unbiased security researcher Benn Jordan additionally offered the lawmakers with a screenshot exhibiting a Russian cybercrime discussion board allegedly promoting entry to Flock logins.
When reached by information.killnetswitch for remark, Flock shared the corporate’s response in a letter from its chief authorized officer Dan Haley, through which he says the corporate switched on MFA by default for all new clients beginning in November 2024, and that 97% of its legislation enforcement clients have enabled MFA so far.
That leaves round 3% of the corporate’s clients — doubtlessly dozens of legislation enforcement companies — which have declined to change on MFA, citing “causes particular to them,” Haley wrote.
Holly Beilin, a spokesperson for Flock, didn’t instantly present a selected variety of legislation enforcement clients that haven’t but switched on MFA, say if any federal companies are among the many remaining clients, or for what motive Flock doesn’t require its clients to change on the security function.
404 Media beforehand reported that the U.S. Drug Enforcement Administration used a neighborhood police officer’s password to entry Flock’s cameras to seek for a person suspected of an “immigration violation,” however with out the officer’s information. The Palos Heights Police Division mentioned it switched on multi-factor authentication following the breach.
