When Flock hit the agenda last week, I sped up my deep dive. As a Chief Information Security Officer (CISO) in my day job and virtual CISO for clients in a variety of industries, I perform the vendor reviews for any new application or hardware brought into the environment. I also oversee the implementation plans to ensure that how the technology is used is as secure as possible and meets the information security policies of the entity. I have also lead cyber audits for these entities when the SEC or FBI comes knocking. 

Which brings me to the line of questioning I started at the March 19^th Council meeting. I had provided many of my questions to the administration ahead of time knowing that they would need some time to gather answers. To their credit, they did send many of the questions to Flock before the meeting and some answers were provided, though not with answers that would pass any kind of third-party review.

I did not go into this meeting with a pre-determined opinion, I was hoping that both Flock and the Administration would take the opportunity to outline processes and safeguards they had in place and maybe alleviate some of the resident concerns that were front and center. Unfortunately, that is not what happened. 

1. How is Troy’s Flock instance configured for user logins? If not using SSO, is 2FA required? Flock Safety utilizes mandatory two-factor authentication by default for the Troy Police Department. This configuration requires every user to verify their login with a unique, one-time passcode sent to a registered trusted device.

2FA is a baseline in cyber defense, so at least they claim to have that. As residents pointed out, though, 2FA can still be done badly. I would have expected that a system that has access to such private data would be integrated into a single sign on solution. It does support it. This is not a point against Flock, it’s a point against Troy for keeping this security control at the out-of-the-box level.

2. Is Troy’s Flock system locked down at all so that users can only access the data from a trusted network or IP? Access to the Flock Safety dashboard is strictly regulated to maintain CJIS compliance, yet it remains accessible beyond a single physical network. This flexibility ensures that both uniformed officers using Mobile Data Terminals (MDTs) and non-uniformed personnel utilizing the Flock Safety mobile app can receive real-time ‘Hot List’ alerts and investigative data directly from the field.

Flexibility is a ruse. Standard security implementation of a system that has access to confidential or private data should be locked down so that a user can only access it from a trusted, secure network. You can still access the system from other locations by connecting to a VPN. The fact that Flock doesn’t seem to understand how that very basic technical set up works is concerning. 

3. Is Flock monitored by a SIEM tool? Yes. Flock’s production environment is monitored by a centralized SIEM (SumoLogic) operated by the Flock InfoSec team, alongside EDR and vulnerability management tooling.

SIEM (Security Incident and Event Management) tools aggregate logs from several sources within an environment and correlate events to detect a breach. While I am happy Flock has an internal SIEM tool, this response does not actually address the question of Troy’s Flock instance. I asked the Flock representative at the meeting if this SIEM monitored each individual instance of Flock and they didn’t have an answer. This is not entirely Flock’s issue; Troy should have its own SIEM tool that the logs feed in to. The fact that this question was sent to Flock instead of being answered by the administration is concerning. It sounds like there is nothing in place to alert us of a breach. It also points to a higher likelihood that parties outside the Troy PD have access to the data. 

4. What firmware version are the Troy LPRs running right now?All Troy LPRs are on Flock’s current Picard LPR release train (Trapperkeeper OS 3.x + Apps 8.x, with bundled MCU firmware like the latest power‑module FW). We can pull an exact per‑camera report (OS, apps, and sub‑firmware versions) from Flock’s device management tools if requested for the record.

Many of the videos online of a camera getting hacked are running a specific, vulnerable, version of firmware or operating system. The vulnerabilities that NIST found on the Falcon cameras that Troy has are specifically on firmware version 2.2 and earlier, which is why I asked this question. The response Flock provided is vague, especially when they could have just checked the version or pulled the logs like they stated was possible. 

5. Who is responsible for performing firmware updates on the LPR Devices? Flock is. Updates are delivered over the air by Flock engineering/SRE; the OS and services handle updating the camera, power‑module MCU, deterrence controller, etc. Troy PD does not have to perform any manual firmware work.

Troy does not own the cameras that are in use, they are rented from Flock. This does not always mean that the updates are done by the company, there are times when a subscriber does updates on their own. 

6. How often are updates done on the equipment? How is it documented and logged? Flock ships multiple OS/app releases per year and roll them out in staged cohorts, plus targeted firmware updates when needed. Each release is fully documented (version, date, release notes, Jira links), adoption is tracked on fleet‑health dashboards, and update activity is logged both on‑device and in Flock’s backend monitoring; security‑relevant events flow into Flock’s SIEM.

I had a follow up question at the meeting Thursday, based on this response, about how long it takes Flock to update cameras after a vulnerability is discovered. The rep did not have an answer. 

I also requested a copy of the SOC 2 type 2 report which is standard of any technology platform. This report is the findings of a third-party auditor after reviewing evidence over time of policies and procedures surrounding technology and cyber security. I tried to get a copy on my own, but Flock requires the email of the sales rep you are working with to even request the document. This is highly unusual. Typically, anyone can request the report but will be required to sign an NDA. As of this posting, I still have not seen the report. 

None of this touches on the contractual issues, the data sharing, or the responsible use of the technology. This is simply highlighting the technical side of the Flock cameras and the deficiencies in the controls around them. It equally concerns me that the Troy IT department does not seem to have any involvement with the system and the administration as a whole seems to be flippant about data security in general. 

Thank you to all the residents who reached out, via email and in person, to voice their thoughts, opinions, and concerns. There are clearly still unanswered questions that I will continue to work on getting answers. 

I support the Troy PD having tools to do their job, including Automatic License Plate Readers. But not all ALPRs are made equal. It’s ok to switch services if the current one is found to have issues, and Flock has got some issues. Let’s get them some tools that also have privacy and security standards.