Stolen Police Logins Raise Flock Safety Surveillance Camera Security Concerns, 35 Customer Passwords Leaked
Published
- FTC investigation: U.S. lawmakers have called for an FTC investigation into Flock Safety cameras after at least 35 passwords were leaked.
- MFA not mandatory: They cite lax security practices that expose the camera network to unauthorized access, including MFA for law enforcement customers.
- Stolen credentials: Evidence shows that logins for Flock's law enforcement portal have been stolen and were found for sale on a Russian cybercrime forum.
U.S. lawmakers are raising alarms about significant security issues with Flock Safety cameras, urging the Federal Trade Commission (FTC) to investigate the company due to a security gap could allow hackers or foreign spies who obtain police credentials to gain access to a vast surveillance network that tracks the movements of millions of Americans.
Stolen Police Logins and Unauthorized Access
In a letter to the FTC, U.S. Senator Ron Wyden and Congress Representative Raja Krishnamoorthi detailed how Flock's failure to enforce mandatory multi-factor authentication (MFA) for its law enforcement clients creates a serious risk.
The cybersecurity concerns are not merely theoretical. Researchers have found evidence of stolen police logins for the Flock platform being shared and sold online, including on a Russian cybercrime forum.
“A search by Congressional staff of a public tool operated by the cybersecurity company Hudson Rock documenting accounts compromised by a form of malware known as an infostealer reveals that passwords for at least 35 Flock customer accounts have been stolen,” the letter reads.
“Security researcher Benn Jordan also recently provided our offices with a screenshot from a Russian-language cybercrime forum in which Flock accounts appear to be offered for sale.”
Flock operates one of the largest license plate reader networks in the U.S., with over 5,000 police departments using its system to search billions of vehicle photos. Without mandatory MFA, a single compromised password could grant an unauthorized user access to this sensitive data.
A previously reported incident involved a DEA agent using a local police officer's password to access Flock's system without the officer's knowledge, highlighting the real-world implications of not enforcing MFA.
Flock Safety's Response to Security Issues
In response to the lawmakers' letter, Flock Safety stated that multi-factor authentication has been the default for all new customers since November 2024.
The company reported that 97% of its existing law enforcement customers have enabled the feature. However, this leaves approximately 3% of its clients—potentially dozens of police agencies—who have declined to enable MFA for their own reasons.
Flock did not specify why it does not mandate the security feature for all users, a decision that remains at the center of the controversy.
Last month, the Amazon-owned home security company announced a partnership with Flock Safety to enable law enforcement requests for video footage from millions of Ring camera owners.
Meanwhile, several US cities halted the use of ALPR cameras due to privacy concerns as municipalities re-evaluated surveillance technology. Earlier this year, misconfigured Motorola ALPRs revealed the live streams of individual cameras across the U.S., exposing collected data.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular