Hackers claim to have breached Silicon Valley startup Verkada to gain unauthorized access to live feeds of 150,000 security cameras. They claim, the hack gave them widespread access to surveillance footage within companies such as Tesla and Cloudflare, as well as hospitals, companies, law-enforcement departments, schools and prisons.
The group provided video footage from cameras managed by San Mateo, Calif.-based Verkada to Bloomberg to prove the success of their breach, according to a report published on the news outlet’s website. Verkada provides and manages a web-based network of security cameras to customers and claims to be a more secure and scalable alternative to on-premises solutions for video surveillance.
The breach represents a broad vision of the privacy and security violations that can occur if video surveillance footage falls into the wrong hands. It also is very likely to put Verkada in regulatory and legal hot water once investigations are complete, security experts said.
The hacker collective, which call themselves “Advanced Persistent Threat 69420,” claimed they accessed security cameras from inside Florida hospital Halifax Health, with some of the footage viewed by Bloomberg appearing to show eight hospital staffers tackling a man and then holding him down on a bed.
Other footage viewed by Bloomberg appeared to be inside a Tesla factory in Shanghai, showing workers on an assembly line. The hackers claimed they accessed 222 cameras displaying activity inside Tesla factories and warehouses.
Bloomberg said it also viewed surveillance footage from a police station in Stoughton, Massachusetts. Meanwhile, the hackers told the publication that they also gained access to the security cameras of Sandy Hook Elementary School in Newtown, Connecticut, where a gunman killed more than 20 people in 2012; 330 security cameras inside the Madison County Jail in Huntsville, Alabama; cameras of multiple locations of the luxury gym chain Equinox; surveillance footage from the ICU of Wadley Regional Medical Center, a hospital in Texarkana, Texas; and cameras at Tempe St. Luke’s Hospital, in Arizona, according to the report.
Tillie Kottmann, one of the hackers who claimed credit for the incident, told Bloomberg the group’s intention behind the breach was to demonstrate the extent to which video surveillance exists – but also how easy it is to break into these systems and expose sensitive and private footage.
Kottmann cited “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it” as reasons for hacking into Verkada, according to the report. Previous breaches for which the group claimed responsibility include incidents at Intel and Nissan.
The Hack: Gaining Admin Privileges
In this instance, the group gained access to Verkada through a “Super Admin” account, by using a username and password for an administrator account that was publicly exposed on the internet. This gave them access to the cameras of all of the company’s customers, Kottmann told Bloomberg. After the publication contacted Verkada, the hackers lost access to the video feeds and archives, the group said, according to the report.
This method shows the type of downstream impact of email-based attacks such as spear-phishing attacks, which use social engineering to fool a company’s employees to hand over credentials, one security expert observed.
“It’s very likely that this was done through a phishing attack that was made more convincing through social engineering,” said Hank Schless, senior manager of security solutions at Lookout in an email to Threatpost. “Attackers have also been known to target lower-level employees and phish their credentials, only to move laterally through the infrastructure once they have access.”
Ongoing Investigations into Verkada Breach
Verkada did not immediately return request for comment about the attack and the company’s mitigation efforts on Wednesday morning. A Verkada spokesperson told Bloomberg in a statement that the company disabled all internal administrator accounts to prevent any unauthorized access.
“Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement,” the spokesperson said.
Verkada’s CISO, an internal team and an external security firm are currently investigating the incident, and the company is in the process of notifying customers and setting up a support line to field questions and requests for assistance, according to Bloomberg.
No matter what the company’s findings reveal, Verkada will surely face tough questions and scrutiny as well as regulatory investigations and potential lawsuits over the incident, which once again demonstrates the security issues with making sensitive data accessible on cloud-based networks, observed Rick Holland, CISO at security firm Digital Shadows.
“The Verkada intrusion is an example of the risks associated with outsourcing services to cloud providers,” he said in an email to Threatpost. “You don’t always get more secure when you outsource your security to a third party.”
Moreover, the Department of Health and Human Services (HHS) will probably launch an investigation into Verkada and the breach for HIPAA/HITECH violations, as surveillance footage can be considered protected health information, Holland said.
Other regulatory and legal trouble also might be on the way for the company, he added: “GDPR violations of personal data could have also occurred, and class action lawsuits could also be on the horizon,” Holland said.