Thousands Of Security Cameras, Archived Footage Exposed After Surveillance Company Verkada Is Hacked
from the unsecured-security-cameras-are-the-best-security-theater dept
Put enough cameras up and pretty soon they become tasty targets for malicious hackers.
A group of hackers say they breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc., gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools.
Some of the more notable targets include Tesla factory cameras and security cameras deployed by Cloudflare. The hackers also apparently have access to archived video from these sources. Verkada has responded by disabling all internal administrator accounts — something it probably should have done back when it was making news for doing the same thing, only without the participation of outside hackers.
Last year, a sales director on the company’s sales team abused their access to these cameras to take and post photos of colleagues in a Slack channel called #RawVerkadawgz where they made sexually explicit jokes about women who worked at the company, according to a report in IPVM, which Motherboard independently verified and obtained more information about.
“Face match… find me a squirt,” the sales director wrote in the company Slack channel in August 2019, according to one screenshot obtained by Motherboard.
Now, the same sort of thing can be done by anyone with access to the compromised system. The hackers involved here claim to be operating somewhat altruistically.
The data breach was carried out by an international hacker collective and intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into, said Tillie Kottmann, one of the hackers who claimed credit for breaching San Mateo, California-based Verkada. Kottmann, who uses they/them pronouns, previously claimed credit for hacking chipmaker Intel Corp. and carmaker Nissan Motor Co. Kottmann said their reasons for hacking are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”
Add to that list “too easy.” According to Kottmann, the hackers gained access to a “Super Admin” account after finding a username and password publicly exposed. That access has since been revoked (along with all other internal admin accounts), but the footage served up to reporters showed everything from eight hospital staffers restraining a patient to police officers grilling suspects.
Then there’s the facial recognition tech grafted onto Verkada’s cameras.
Verkada’s website advertises that “all” of its cameras include “Smart Edge-Based Analytics,” referring to the cameras’ facial recognition, person identification, and vehicle analysis tools.
It’s not clear which of Verkada’s 24,000 customers were using these functions but they appear to be built-in. And its list of customers — also exposed in the breach — includes schools, banks, bars, breweries, churches, condo complexes, museums, airports, a Salvation Army Center, as well as the previously mentioned companies, hospitals, and prisons.
And, as was briefly noted earlier, Verkada’s system allows customers to search recorded video by face, allowing users to compile screenshots of every instance in which the searched face was captured by the cameras.
Surveillance is a growth market. Amass enough market share and someone’s going to want to see what you’ve collected. Verkada’s use of admin accounts was already problematic given what we know about the mindset of some of its administrators. Giving admins access to all customer cameras and recordings may make it easier to address user problems, but without better security, it’s also irresponsible.