Full Report
Officials in Cambridge, Massachusetts, and Eugene, Oregon, found that some Flock Safety license plate readers were still active after the municipalities asked for services to be terminated.
Analysis Summary
# Incident Report: Unauthorized Operation of Deactivated ALPR Cameras
## Executive Summary
Several municipalities, specifically Cambridge, MA, and Eugene, OR, discovered that Flock Safety Automated License Plate Reader (ALPR) cameras remained active and operational after city officials explicitly directed the vendor to terminate services and deactivate the hardware. This operational failure resulted in the unauthorized continued collection of sensitive vehicle location data, leading to a material breach of trust and the termination of contracts by both cities. The vendor's underlying system design appears to prevent immediate deactivation dictated by the client.
## Incident Details
- **Discovery Date:** Eugene (Dec 3, 2025); Cambridge (Late November-Early December 2025)
- **Incident Date (Period of Unauthorized Activity):** Ongoing following initial service termination requests (Eugene: October; Cambridge: Unspecified, but subsequent to contract review/request to pause).
- **Affected Organization:** Flock Safety (Vendor); Cambridge, MA Police Dept.; Eugene, OR Police Dept.
- **Sector:** Government / Public Safety Technology / Surveillance
- **Geography:** Cambridge, Massachusetts; Eugene, Oregon
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-contract termination dates (October for Eugene; prior to Late November for Cambridge). This phase concerns the *initial data collection* via the ALPR network.
- **Vector:** Legitimate deployment of FLOCK ALPR hardware under contract.
- **Details:** Cameras were installed and functional under standard business arrangement.
### System State Change / Requested Termination
- **Date/Time:** October 2025 (Eugene requested deactivation of 57 cameras); Time of contract review/deactivation request (Cambridge).
- **Vector:** Official communications/directives from municipal authorities to Flock Safety.
- **Details:** Cities requested that the ALPR services be paused or terminated.
### Unauthorized Continuation & Discovery
- **Date/Time:** Late November 2025 (Cambridge); Last week prior to Dec 3, 2025 (Eugene).
- **Vector:** External operational monitoring/user portal checks (Eugene citizen Ky Fireside).
- **Details:**
- **Eugene:** Citizen monitoring revealed data was still being captured (nearly 8,500 plates in the preceding 30 days). Officials confirmed at least one camera remained active weeks after the October directive.
- **Cambridge:** Flock notified the City that two *new* cameras were installed in late November, despite an outstanding work order that should have been cancelled, indicating system confusion or ignored instructions.
### Response & Containment
- **Date/Time:** December 3, 2025 (Eugene notification); December 10, 2025 (Cambridge contract termination announced).
- **Vector:** Municipal official response and contract termination.
- **Details:**
- Eugene Police Chief addressed the issue publicly; auditor launched a probe.
- Cambridge terminated its contract with Flock Safety due to a "material breach of our trust and the agreement."
- Flock lobbyist stated cameras were subsequently uninstalled in Cambridge.
## Attack Methodology
*(Note: This incident appears to be based on vendor malpractice/system failure rather than a traditional external adversary attack. The methodology below reflects the vendor’s operational failure that created the vulnerability/impact.)*
- **Initial Access:** Contractual installation of hardware/software.
- **Persistence:** System architecture failure preventing immediate remote shutdown upon client request.
- **Privilege Escalation:** N/A (Not applicable to malicious remote activity).
- **Defense Evasion:** N/A (Functionality continued without authorization, not actively evading security controls).
- **Credential Access:** N/A.
- **Discovery:** N/A.
- **Lateral Movement:** N/A.
- **Collection:** Continued capturing of ALPR data via active hardware devices in unauthorized locations.
- **Exfiltration:** Data accessed via the centralized Flock database by authorized but deactivating municipal agencies (implied, pending investigation).
- **Impact:** Unauthorized surveillance and data collection violating municipal directives.
## Impact Assessment
- **Financial:** Contract termination costs, potential costs associated with remediation/investigation, and costs incurred by the cities for temporary operational gaps.
- **Data Breach:** Collection of license plate data for thousands of vehicles within the operational areas (e.g., Eugene captured nearly 8,500 plates in 30 days prior to discovery).
- **Operational:** Disruption of public safety data feeds until hardware was confirmed removed; internal probes launched by police auditors/officials.
- **Reputational:** Significant damage to Flock Safety’s reputation regarding trust, adherence to municipal directives, and system control capabilities. (Incident echoes past issues in Evanston, IL).
## Indicators of Compromise
*(As this is a configuration/contractual failure rather than a cyber incident, traditional IOCs are not primarily relevant. The indicators point to unauthorized operation):*
- **Behavioral indicators:** FLOCK ALPR network activity reporting utilization rates from jurisdictions where service termination notices were issued.
- **System indicators:** Uncanceled/unfulfilled deactivation work orders in the vendor's management system for municipal jurisdictions.
## Response Actions
- **Containment measures:**
- Cities demanded confirmation that cameras were physically removed (confirmed in Cambridge).
- Eugene Police Chief addressed the matter publicly, confirming an internal probe.
- **Eradication steps:** Complete physical removal and/or permanent deactivation of all targeted ALPR units by the vendor, followed by audit. (Evanston previously had to physically bag cameras).
- **Recovery actions:** Formal termination of contracts; initiation of municipal internal reviews regarding future vendor management.
## Lessons Learned
- **System Control Limitations:** Relying on a third-party vendor whose system architecture inherently lacks the client-side functionality to immediately enforce service termination is a critical risk, especially for surveillance technology.
- **Trust vs. Verification:** Municipalities must implement robust verification mechanisms (e.g., requiring proof of physical hardware removal or independent network monitoring) when terminating data collection services, rather than relying solely on vendor assurances.
- **Contractual Breaches:** The decision by Flock to install new cameras after deactivation requests substantiates claims of prioritizing execution over contractual compliance/trust.
## Recommendations
- **Mandate Immediate Kill Switches:** Any future surveillance contracts must require a documented, independently verifiable, and immediate **remote kill switch** function accessible by the client municipality with remote access revoked upon contract termination.
- **Independent Auditing:** Implement periodic, vendor-independent audits (e.g., network monitoring or physical spot checks) following any service termination request to verify compliance.
- **Review Past Issues:** Conduct a thorough review of all prior service terminations (e.g., Evanston) to ensure all associated hardware has been neutralized according to the highest security standards.