Lawmakers have asked the Federal Trade Commission to investigate license plate scanning camera operator Flock Safety for allegedly failing to implement cybersecurity protections that exposed the company's camera network to hackers and spies.
In a letter sent by Sen. Ron Wyden (D-Ore.) and Rep. Raja Krishnamoorthi (D-Ill.) on Wednesday, the lawmakers are asking FTC Chairman Andrew Ferguson to investigate why Flock is not enforcing the use of multi-factor authentication (MFA), a security protection that prevents malicious access by someone who knows an account owner's password.
According to the letter, Wyden and Krishnamoorthi said that while the company offers its law enforcement customers the ability to enable MFA, “Flock does not require it, and the company confirmed that to Congress in October.”
Wyden and Krishnamoorthi said that if hackers or foreign spies learned a law enforcement user's password, they could “access law enforcement-only areas of Flock's website and search through the billions of American license plate photos collected by taxpayer-funded cameras across the country.”
Flock operates one of the largest networks of cameras and license plate readers in the United States, providing access to more than 5,000 police departments and private businesses across the country. Flock's cameras scan the license plates of passing vehicles, allowing law enforcement and federal agencies logged into the Flock platform to search through the billions of photos taken and track where and when a vehicle has traveled.
Lawmakers said they found evidence that some of Flock's law enforcement customers' login information had previously been stolen and shared online, citing data from cybersecurity firm Hudson Rock that identifies usernames and passwords stolen by information-stealing malware.
Independent security researcher Ben Jordan also provided lawmakers with screenshots showing a Russian cybercrime forum that allegedly sells access to Flock logins.
When asked for comment by TechCrunch, Flock shared the company's response in a letter from Chief Legal Officer Dan Haley, in which the company said it will enable MFA by default for all new customers starting in November 2024, and that 97% of its law enforcement customers have enabled MFA to date.
As a result, about 3% of the company's customers, which could be dozens of law enforcement agencies, refuse to enable MFA for “customer-specific reasons,” Haley wrote.
Flock spokeswoman Holly Bailin did not immediately say how many law enforcement customers have not yet turned on MFA, whether federal agencies are among the remaining customers, or why Flock does not require customers to turn on the security feature.
404 Media previously reported that the U.S. Drug Enforcement Administration used a local police officer's password to access Flock's camera to search for possible “immigration violations,” without the officers' knowledge. The Palos Heights Police Department said it turned on multi-factor authentication after the breach.