Lawmakers have referred to as on the Federal Commerce Fee to research Flock Security, an organization that operates license plate scanning cameras, for allegedly failing to implement cybersecurity protections that expose its digicam community to hackers and spies.
In a letter despatched by Sen. Ron Wyden (D-OR) and Rep. Raja Krishnamoorthi (D-IL, eighth), the lawmakers urge FTC Chairman Andrew Ferguson to probe why Flock doesn’t implement using multi-factor authentication (MFA), a safety safety that forestalls malicious entry by somebody with information of the account holder’s password.
Wyden and Krishnamoorthi stated that whereas the corporate gives its legislation enforcement prospects the flexibility to allow MFA, “Flock doesn’t require it, which the corporate confirmed to Congress in October,” in accordance with the letter.
Wyden and Krishnamoorthi stated that if hackers or international spies be taught of a legislation enforcement consumer’s password, “they’ll acquire entry to law-enforcement-only areas of Flock’s web site and search the billions of images of People’ license plates collected by taxpayer-funded cameras throughout the nation.”
Flock operates one of many largest networks of cameras and license plate readers within the U.S., offering entry to greater than 5,000 police departments, in addition to personal companies, throughout the nation. Flock’s cameras scan the license plates of passing autos in order that police and federal businesses with logins to Flock’s platform can search the billions of captured images and observe the place autos have traveled at any given time.
The lawmakers stated that they’d discovered proof that a few of Flock’s legislation enforcement prospects’ logins had been beforehand stolen and shared on-line, citing knowledge from Hudson Rock, a cybersecurity firm that identifies usernames and passwords stolen by information-stealing malware.
Unbiased safety researcher Benn Jordan additionally supplied the lawmakers with a screenshot displaying a Russian cybercrime discussion board allegedly promoting entry to Flock logins.
When reached by TechCrunch for remark, Flock shared the corporate’s response in a letter from its chief authorized officer Dan Haley, wherein he says the corporate switched on MFA by default for all new prospects beginning in November 2024, and that 97% of its legislation enforcement prospects have enabled MFA up to now.
That leaves round 3% of the corporate’s prospects — doubtlessly dozens of legislation enforcement businesses — which have declined to change on MFA, citing “causes particular to them,” Haley wrote.
Holly Beilin, a spokesperson for Flock, didn’t instantly present a particular variety of legislation enforcement prospects that haven’t but switched on MFA, say if any federal businesses are among the many remaining prospects, or for what purpose Flock doesn’t require its prospects to change on the safety characteristic.
404 Media beforehand reported that the U.S. Drug Enforcement Administration used an area police officer’s password to entry Flock’s cameras to seek for a person suspected of an “immigration violation,” however with out the officer’s information. The Palos Heights Police Division stated it switched on multi-factor authentication following the breach.
