A hacking group has gained access to the feeds of 150,000 surveillance cameras used inside businesses, schools, police departments, hospitals, and well-known companies.
The security breach, which was first reported by Bloomberg, resulted in hackers being able to view live feeds of cameras managed by Verkada, a cloud-based startup which brags about using cameras to identify risks and help people and locations stay safe and secure.
A reporter at Bloomberg is said to have watched footage of staff at a Florida hospital tackling a man and pinning him to a bed, and in another video watched a handcuffed man being questioned by officers at a police station in Stoughton, Massachusetts.
As well as being able to access video and image data from the security cameras of Verkada’s customers, the hackers are also said to have accessed:
- A list of client account administrators, including names and email addresses
- A list of Verkada sales orders.
Verkada says that it has seen no evidence that the hackers were able to access users’ passwords or password hashes, or the company’s internal network, financial systems, or other business systems.
In the wake of the attack, Twitter suspended the @nyancrimew account of Tillie Kottmann, a member of a hacking collective dubbed “APT 69420 Arson Cats,” who had claimed that they “had root shells inside the corporate networks of both CloudFlare and Okta”, boasting that if they wanted to they “could have probably owned half the internet in like a week.”
Switzerland-based Kottmann claimed that the hack had been achieved after Verkada left an internal development system exposed to the internet. From that, hackers were able to obtain login credentials for an account that had admin rights on Verkada’s network.
Technology firms which are confirmed to have been affected by the security camera breach include Tesla, Cloudflare, identity and access management company Okta, and – of course – Verkada itself.
As Reuters reports, Tesla confirmed that one of its suppliers’ production sites in China had been caught up in the attack, but that neither its factory in Shanghai nor showrooms were affected.
The electric vehicle company says that cameras at the supplier’s company are either no longer operational, or have been disconnected from the internet.
In an update posted on its website, Verkada said that it had identified the attack vector used by the hackers and had secured it by “approximately noon PST on March 9, 2021”.
The high profile security breach is clearly embarrassing for Verkada, which brags on its website about how its cameras “prioritise people’s privacy.”
According to the firm, customers do not need to take any further action to secure themselves.
Of course, some affected customers may wish to reconsider whether the benefits of using cloud-based security cameras from Verkada is worth the risk.
Certainly I would be wondering why it’s possible for Verkada employees to access customers’ video feeds without the explicit approval of the customers themselves. If that wasn’t possible then surely the hackers wouldn’t have been able to view the feeds either?
Readers may recall that Verkada made the headlines in October last year after it was found that some of the firm’s staff had used the company’s cameras and facial recognition technology to take and share images of female co-workers.