Hackers aiming to call attention to the dangers of mass surveillance say they were able to peer into hospitals, schools, factories, jails, and corporate offices after they broke into the systems of a security-camera startup.
That California startup, Verkada, said it is investigating the scope of the breach and has notified law enforcement and its customers.
A group that calls itself APT-69420 Arson Cats was able to gain access to a Verkada “super” administrator account using valid credentials found online.
Verkada said in a statement that it has since disabled all internal administrator accounts to prevent any unauthorized access.
But for two days, the hackers said, they were able to peer unhindered into live feeds from potentially tens of thousands of cameras, including many that were watching sensitive locations such as hospitals and schools.
That included outdoor and indoor cameras at Sandy Hook Elementary School in Newtown, Connecticut, where 26 first-grade students and six educators were killed in 2012 by a gunman in one of the deadliest school shootings in U.S. history.
The Verkada footage captured and shared by hackers appeared to include a Tesla facility in China and the Madison County Jail in Huntsville, Alabama.
Verkada, based in California, has pitched its cloud-based surveillance service as part of the next generation of workplace security.
Its software detects when people are in the camera’s view, and a “Person History” feature enables customers to recognize and track individual faces and other attributes, such as clothing color and likely gender. Not all customers use the facial recognition feature.
Commentaries: What the experts say
Morey Haber, CTO & CISO at BeyondTrust commented on the Verkada breach saying:
“If you are an IoT vendor, you have some fundamental responsibilities to protect your company, infrastructure, and the security and privacy of your clients. You would want to architect and deploy a solution that in no way, ever, a single credential could be used to jeopardize the trust and well-being of your clients and solution.”
With that in mind, he said one would want these basic security controls:
- Segregation of access to the IoT devices you service
- Two-factor authentication enabled for all clients
- Multi-factor authentication (MFA) enabled for all employees, vendors, and contracts
- Restricted access to all sensitive accounts from only approved zones
- Privileged access management to rotate, manage, secure, and provide certification for all administrative accounts
- An established workflow to allow access to the most sensitive accounts
“Well, unfortunately for the Verkada IoT Camera Services, none of these security best practices were enabled.”
On March 9th, Bloomberg reported a massive security breach into the Verkada network that exposed the live feeds of 150,000 security cameras used in jails, hospitals, and even companies like Tesla.
And so Haber said one has to ask:
- Did organizations know that the live feeds were being used for facial recognition? Did they pay for this service?
- Since many of the environments are private, did employees consent to have facial recognition abilities processed and stored, based on captured footage?
- Did businesses and employees know or consent to data retention of their likeness being captured for archival purposes?
- Is facial recognition even legal in the state, country, or even allowed by a union in locations that were compromised?
Haber indicated that this was not a sophisticated attack. No malware or advanced persistent threats (APTs) were involved in this breach.
“The threat actors obtained “root” access to the cameras using built-in functionality that escalated their privileges to “Super Admin” and were consequently permitted access to all of Verkada’s camera feeds,” Haber explained.
The initial account compromise occurred due to a username and password, for an administrative account, being exposed on the Internet (single-factor authentication).
“While this is another breach added to the list of security incidents in 2021, all companies should take notice, especially those providing IoT services via the web,” Haber concluded.
For his part, Sam Curry, Chief Security Officer at Cybereason said that even though recent nation-state cyberattacks on SolarWinds and Microsoft Exchange Servers are garnering headlines, hacktivist groups are still players in the global cyber ecosystem.
“It makes no difference if the motives of any threat actor are social, political, or financial in nature when crimes are committed and laws are broken. It is also a reminder of how vast the threat landscape is. This breach appears to have been preventable if the administrator’s username and password weren’t exposed on the Internet,” Curry explained.
“Today, there are more than 1 billion surveillance cameras in use around the world and security is an afterthought in many of them, resulting in spying and unlawful monitoring of unsuspecting victims.”
As for Ammar Enaya, regional director – Middle East, Turkey & North Africa (METNA) at Vectra, he advised organizations to start thinking of cyber breaches as inevitable, not extraordinary.
“Cybersecurity thinking today is evolving. We see less preoccupation with endpoint defense, which fails regularly, and more emphasis on fast detection of enemy malware inside the perimeter, followed by rapid neutralization and recovery.
But we have to evolve faster. Lingering faith in faulty perimeter-protection solutions has cost too many organizations dearly. The best response to these attacks is to adopt better protective measures.”