Lawmakers Say Poor Police Security Exposes Flock Surveillance Cameras to Hackers

Flock doesn’t have a great privacy reputation in many quarters and although, maybe, this is not their fault, they are going to get beat up for it anyway.

Flock, you may remember, is the company that sells license plate reader cameras to anyone. Say, you are an HOA and you want to track the comings and goings of anyone in your subdivision. Flock is your friend. They take the data from the cameras, compile it into a national database and then any of their customers can query the database. Local customers can opt out of that, but YOU can’t. Unless their state law mandates the local jurisdictions opt out, few do.

So now we have this massive database for the cops and others to search without the need for a pesky warrant, since it is commercial data and they are a paying customer.

You would think that the police would be security minded and want to protect that data.

Apparently not.

Flock does offer what everyone else does and that is multifactor authentication. But it is not required. Flock admitted this in a response to Congress last month.

But, of course, it was off by default since Flock publicly says that they just collect the data – what happens to it after that is not their problem.

So hackers – so called initial access brokers – socially engineer cops into coughing up their passwords.

And then they sell them on the dark web. Since there was no MFA required, the use of these stolen credentials is, as they say, easy peasy.

And it is not just American hackers selling the data but also Russian cybercrime forums.

The company did finally switch on MFA a year ago for new accounts and, they say, 97 percent of customers now have MFA enabled.

But lets do some math. They claim to have around 5,000 customer agencies. If three percent do not have MFA turned on, that means about 150 agencies are STILL exposed. Denver is a customer. How many detectives does Denver have? They don’t release specific numbers for detectives but they have about 1,500 sworn officers, which include detectives. If we assume on average departments have about 10-15 percent detectives, that would put Denver in the range of 150 to 225 detectives. If that is average across the customer base, that would make say 20,000 accounts not protected. Lets cut that in half, so say 10,000 unprotected accounts. You get the idea. So do Russian hackers.

One of the reasons that an agency may not turn on MFA is that they are covertly and often illegally (illegal as in breaking the law, not illegal as in violating Flock’s license agreement) sharing accounts with agencies that are not Flock customers. For example, it has been reported that the DEA has used other agencies userids to search for folks they are looking for. That is separate from agencies like ICE asking the cops to use their account to run searches (which is also illegal in some states but happens anyway).

In one case reported by 404 media, it was claimed by the Palos Heights Police department that a DEA officer used one of their police officer’s passwords to do searches without the officer’s knowledge. So not only does the department have bad security policies (no MFA), but the officers don’t protect their own credentials. This is far from the only case like this that we have heard of. The FBI’s Criminal Justice Information Services division is another search tool that the cops use. We have seen reports of similar issues with the use of CJIS, which hackers like to use to get dirt on their enemies.

Credit: Tech Crunch

by