Cybersecurity Concerns Surrounding Flock Safety’s Surveillance System
Federal legislators have called on the Federal Trade Commission to investigate Flock Safety, a company that operates an extensive network of license plate recognition cameras. The concern centers on potential cybersecurity weaknesses that might expose the system to unauthorized intrusions by hackers or foreign intelligence agencies.
The Critical Role of Multi-Factor Authentication in Safeguarding Access
In a formal letter addressed to FTC Chair Andrew Ferguson, Senator Ron Wyden (D-OR) and Representative Raja Krishnamoorthi (D-IL) highlighted the lack of mandatory multi-factor authentication (MFA) enforcement within Flock Safety’s platform. MFA serves as an essential security barrier designed to prevent unauthorized access even if login credentials are compromised.
While law enforcement agencies using flock’s services can opt into MFA, its use is not compulsory-a fact confirmed by the company during congressional hearings last year. This gap means that anyone who obtains valid usernames and passwords could potentially gain entry into sensitive law enforcement portals hosted on Flock’s website.
Scope and Sensitivity: Understanding Flock Safety’s Surveillance Reach
Flock Safety manages one of the nation’s largest license plate scanning networks, supporting over 5,000 police departments along with private clients across the United States. Its cameras continuously capture images of passing vehicles’ license plates, creating a vast database containing billions of photos funded through taxpayer resources.Authorized users-including federal agencies-can track vehicle movements through this extensive archive.
The Danger Posed by Stolen Credentials
Legislators referenced research from Hudson Rock, a cybersecurity firm specializing in stolen credential detection, which revealed that some login details belonging to law enforcement customers had been leaked online via malware designed to steal information. Additionally, autonomous investigations uncovered listings on Russian cybercrime forums offering these credentials for sale.
Flock Safety’s Measures and Remaining Security Challenges
Responding to these concerns,Flock Safety’s chief legal officer Dan Haley announced that starting November 2024 all new customers will be required by default to enable MFA protection. Currently, about 97% of their law enforcement clients have activated this feature voluntarily.
This leaves approximately 3%-potentially dozens-of agencies without enforced MFA due to “agency-specific reasons,” according to haley. Though, no further details were provided regarding which organizations remain unprotected or whether any federal entities are included among them despite follow-up inquiries.
A Case Study Highlighting Vulnerabilities in Practice
An incident involving the U.S. Drug Enforcement Administration demonstrated real-world risks when agents accessed surveillance footage from local police accounts without authorization using stolen login credentials tied to immigration-related investigations. Following this breach at Palos Heights Police Department in Illinois, officials implemented multi-factor authentication as a safeguard against future unauthorized access attempts.
the Imperative for enhanced Protection of Surveillance Data
- MFA as an essential Cyber Defense: With global cyberattacks surging-data breaches increased by over 68% between 2018 and 2023-the adoption of strong authentication methods like MFA is vital for securing sensitive surveillance databases from exploitation.
- Sensitivity Surrounding Law Enforcement Information: The enormous collection containing billions of license plate images holds highly confidential data; any unauthorized disclosure could threaten individual privacy rights and national security interests alike.
- The Call for Regulatory Scrutiny: growing demands for FTC oversight reflect mounting concerns about accountability standards among companies managing taxpayer-funded public safety technologies while maintaining limited transparency around their cybersecurity protocols.
