Police Surveillance Cameras Hacked: Stolen Logins Expose Flock System

Concerns Raised Over Flock Safety's Cybersecurity Practices

Legislators are requesting a federal investigation into Flock Safety, a provider of license plate recognition technology. The call for scrutiny stems from allegations that the company lacks sufficient cybersecurity measures, potentially exposing its extensive camera network to unauthorized access.

FTC Investigation Requested

Senator Ron Wyden (D-OR) and Representative Raja Krishnamoorthi (D-IL, 8th) have jointly urged Federal Trade Commission Chairman Andrew Ferguson to initiate a probe. Their concern centers on Flock Safety’s decision not to mandate multi-factor authentication (MFA) for its users.

The lawmakers highlighted that while MFA is offered as an option to law enforcement clients, its implementation remains voluntary. This was confirmed by the company during congressional inquiries in October.

Potential Risks of Unsecured Access

Wyden and Krishnamoorthi emphasized the potential consequences of this security gap. Should a malicious actor obtain a law enforcement user’s password, they could gain access to sensitive areas of Flock’s platform.

This access would allow them to search the vast database of license plate images collected by the company’s cameras, which are funded by taxpayer dollars and span across the nation.

Flock Safety's Extensive Network

Flock Safety operates a substantial network of cameras and license plate readers throughout the United States. The company provides access to over 5,000 police departments and numerous private businesses.

These cameras automatically scan the license plates of vehicles, enabling law enforcement and federal agencies to track vehicle movements and search for specific plates within the collected data.

Evidence of Compromised Credentials

The lawmakers presented evidence suggesting that some law enforcement logins for Flock Safety’s platform have been previously compromised and circulated online. This information was sourced from Hudson Rock, a cybersecurity firm specializing in identifying stolen credentials.

Furthermore, independent security researcher Benn Jordan shared a screenshot purportedly showing access to Flock Safety logins being sold on a Russian cybercrime forum.

Flock Safety's Response

In response to inquiries from TechCrunch, Flock Safety provided a statement from its chief legal officer, Dan Haley. Haley stated that MFA has been enabled by default for all new customers since November 2024.

He also reported that 97% of current law enforcement customers have activated MFA. However, this leaves approximately 3% – potentially dozens of agencies – who have opted not to implement the added security layer.

Remaining Concerns and Lack of Transparency

Holly Beilin, a spokesperson for Flock Safety, did not disclose the exact number of law enforcement customers who have not enabled MFA. She also refrained from specifying whether any federal agencies are among those remaining, or the rationale behind the company’s continued voluntary approach to MFA.

Previous Security Breach

Reports from 404 Media revealed that the U.S. Drug Enforcement Administration previously accessed Flock Safety’s cameras using a local police officer’s password, without the officer’s awareness. This access was utilized to search for an individual suspected of an “immigration violation.”

Following this incident, the Palos Heights Police Department confirmed that they have since implemented multi-factor authentication.