Lawmakers say stolen police logins expose Flock surveillance cameras to hackers

Lawmakers have called on the Federal Trade Commission to investigate Flock Safety, a company that operates license plate scanning cameras, for allegedly failing to implement cybersecurity protections that exposed its camera network to hackers and spies.

In a letter sent by Sen. Ron Wyden (D-Ore.) and Rep. Raja Krishnamurthy (D-Ill., 8th), lawmakers are urging FTC Chairman Andrew Ferguson to investigate why Fluke did not enforce the use of multi-factor authentication (MFA), a security protection that prevents malicious access by someone with knowledge of an account holder’s password.

Wyden and Krishnamurthy said that while the company offers its law enforcement customers the ability to enable MFA, “Fluke does not require it, which the company confirmed to Congress in October,” according to the letter.

If hackers or foreign spies knew a law enforcement user’s password, Wyden and Krishnamurthy said, “they could access law enforcement-only areas of the Fluke website and search billions of images of Americans’ license plates collected by taxpayer-funded cameras across the country.”

Flock operates one of the largest networks of cameras and license plate readers in the United States, providing access to more than 5,000 police departments, as well as private businesses, across the country. Flock cameras scan the license plates of passing vehicles so police and federal agencies with logins to the Flock platform can search through billions of captured images and track where vehicles have traveled at any given time.

Lawmakers said they found evidence that some of the logins of Flock’s law enforcement agents had previously been stolen and shared online, citing data from Hudson Rock, a cybersecurity firm that identifies usernames and passwords stolen by information-stealing malware.

Independent security researcher Ben Jordan also provided lawmakers with a screenshot showing a Russian cybercrime forum allegedly selling access to Flock logins.

When reached for comment by TechCrunch, Flock shared the company’s response in a letter from its chief legal officer Dan Haley, saying that the company has turned on MFA by default for all new customers starting in November 2024, and that 97% of law enforcement customers have enabled MFA to date.

That leaves about 3% of the company’s clients — and perhaps dozens of law enforcement agencies — who have declined to switch to MFA, citing “reasons of their own,” Healey wrote.

Flock spokeswoman Holly Bellin did not immediately provide a specific number of law enforcement customers who have not yet turned on MFA, for example whether any federal agencies are among the remaining customers, or for what reason Flock does not require its customers to turn on the security feature.

Media outlets previously reported that the US Drug Enforcement Administration used a local police officer’s password to access Fluke cameras to search for someone suspected of committing an “immigration violation,” but without the officer’s knowledge. The Palos Heights Police Department said it turned on multi-factor authentication after the hack.