Lawmakers have known as on the Federal Commerce Fee to research Flock Security, an organization that operates license plate scanning cameras, for allegedly failing to implement cybersecurity protections that expose its digicam community to hackers and spies.

In a letter despatched by Sen. Ron Wyden (D-OR) and Rep. Raja Krishnamoorthi (D-IL, eighth), the lawmakers urge FTC Chairman Andrew Ferguson to probe why Flock doesn’t implement using multi-factor authentication (MFA), a safety safety that forestalls malicious entry by somebody with data of the account holder’s password.

Wyden and Krishnamoorthi mentioned that whereas the corporate presents its regulation enforcement clients the power to allow MFA, “Flock doesn’t require it, which the corporate confirmed to Congress in October,” in line with the letter.

Wyden and Krishnamoorthi mentioned that if hackers or overseas spies be taught of a regulation enforcement person’s password, “they’ll acquire entry to law-enforcement-only areas of Flock’s web site and search the billions of images of People’ license plates collected by taxpayer-funded cameras throughout the nation.”

Flock operates one of many largest networks of cameras and license plate readers within the U.S., offering entry to greater than 5,000 police departments, in addition to personal companies, throughout the nation. Flock’s cameras scan the license plates of passing automobiles in order that police and federal companies with logins to Flock’s platform can search the billions of captured images and monitor the place automobiles have traveled at any given time.

The lawmakers mentioned that that they had discovered proof that a few of Flock’s regulation enforcement clients’ logins had been beforehand stolen and shared on-line, citing knowledge from Hudson Rock, a cybersecurity firm that identifies usernames and passwords stolen by information-stealing malware. 

Impartial safety researcher Benn Jordan additionally supplied the lawmakers with a screenshot displaying a Russian cybercrime discussion board allegedly promoting entry to Flock logins.

When reached by TechCrunch for remark, Flock shared the corporate’s response in a letter from its chief authorized officer Dan Haley, by which he says the corporate switched on MFA by default for all new clients beginning in November 2024, and that 97% of its regulation enforcement clients have enabled MFA so far.

That leaves round 3% of the corporate’s clients — probably dozens of regulation enforcement companies — which have declined to change on MFA, citing “causes particular to them,” Haley wrote. 

Holly Beilin, a spokesperson for Flock, didn’t instantly present a selected variety of regulation enforcement clients that haven’t but switched on MFA, say if any federal companies are among the many remaining clients, or for what cause Flock doesn’t require its clients to change on the safety characteristic.

404 Media beforehand reported that the U.S. Drug Enforcement Administration used a neighborhood police officer’s password to entry Flock’s cameras to seek for a person suspected of an “immigration violation,” however with out the officer’s data. The Palos Heights Police Division mentioned it switched on multi-factor authentication following the breach.