Lawmakers have known as on the Federal Commerce Fee to analyze Flock Security, an organization that operates license plate scanning cameras, for allegedly failing to implement cybersecurity protections that expose its digital camera community to hackers and spies.
In a letter despatched by Sen. Ron Wyden (D-OR) and Rep. Raja Krishnamoorthi (D-IL, eighth), the lawmakers urge FTC Chairman Andrew Ferguson to probe why Flock doesn’t implement using multi-factor authentication (MFA), a safety safety that stops malicious entry by somebody with information of the account holder’s password.
Wyden and Krishnamoorthi stated that whereas the corporate presents its regulation enforcement prospects the flexibility to allow MFA, “Flock doesn’t require it, which the corporate confirmed to Congress in October,” in accordance with the letter.
Wyden and Krishnamoorthi stated that if hackers or overseas spies study of a regulation enforcement consumer’s password, “they’ll acquire entry to law-enforcement-only areas of Flock’s web site and search the billions of photographs of People’ license plates collected by taxpayer-funded cameras throughout the nation.”
Flock operates one of many largest networks of cameras and license plate readers within the U.S., offering entry to greater than 5,000 police departments, in addition to non-public companies, throughout the nation. Flock’s cameras scan the license plates of passing autos in order that police and federal businesses with logins to Flock’s platform can search the billions of captured photographs and monitor the place autos have traveled at any given time.
The lawmakers stated that that they had discovered proof that a few of Flock’s regulation enforcement prospects’ logins had been beforehand stolen and shared on-line, citing information from Hudson Rock, a cybersecurity firm that identifies usernames and passwords stolen by information-stealing malware.
Impartial safety researcher Benn Jordan additionally supplied the lawmakers with a screenshot displaying a Russian cybercrime discussion board allegedly promoting entry to Flock logins.
When reached by TechCrunch for remark, Flock shared the corporate’s response in a letter from its chief authorized officer Dan Haley, wherein he says the corporate switched on MFA by default for all new prospects beginning in November 2024, and that 97% of its regulation enforcement prospects have enabled MFA thus far.
That leaves round 3% of the corporate’s prospects — doubtlessly dozens of regulation enforcement businesses — which have declined to change on MFA, citing “causes particular to them,” Haley wrote.
Holly Beilin, a spokesperson for Flock, didn’t instantly present a selected variety of regulation enforcement prospects that haven’t but switched on MFA, say if any federal businesses are among the many remaining prospects, or for what purpose Flock doesn’t require its prospects to change on the safety characteristic.
404 Media beforehand reported that the U.S. Drug Enforcement Administration used a neighborhood police officer’s password to entry Flock’s cameras to seek for a person suspected of an “immigration violation,” however with out the officer’s information. The Palos Heights Police Division stated it switched on multi-factor authentication following the breach.
