According to a report by Bloomberg, Verkada, a cloud-managed and edge-based enterprise security software, was victim to a data breach that allowed an international group of hackers to gain access to 150,000 security cameras.
Hospitals, prisons and companies like Tesla and Cloudflare were affected by the breach, according to the report.
The hackers used “Super Admin” credentials found publically on the internet to access the camera data, which included video from inside women’s clinics and Verkada offices.
According to the Bloomberg report, a Verkada camera inside Florida hospital Halifax Health showed what appeared to be eight hospital staffers tackling a man and pinning him to a bed. Halifax Health is featured on Verkada’s website in a case study titled “How a Florida Healthcare Provider Easily Updated and Deployed a Scalable HIPAA Compliant Security System.”
Another video from inside a Tesla warehouse in Shanghai shows workers on an assembly line. The hackers said they gained access to 222 cameras in Tesla factories and warehouses.
Some of Verkada’s cameras use facial recognition technology to identify and sort people in the footage. The hackers said they have access to complete video archives from all Verkada customers, according to the Bloomberg report.
Tillie Kottmann, member of the hacker collective and previously claimed credit for hacking Intel Corp. and Nissan Motor, said the collective’s action were to show the “pervasiveness” of the video surveillance industry and the ease of breaking into the systems.
Kottmann said their group was able to obtain root access on the cameras, meaning they could use the cameras to execute their own code. That access could, in some instances, allow them to obtain access to the broader corporate network of Verkada’s customers, or hijack the cameras and use them as a platform to launch future hacks. Obtaining this degree of access to the camera didn’t require any additional hacking, as it was a built-in feature, Kottmann told Bloomberg.
According to Kottmann, after Bloomberg contacted Verkada in regards to the breach, the hackers lost access to the video feeds and archives.
In response, Verkada said it has verified its system is secure and have already restricted administrator access as it conducts a review of its policies and permissions.
“We have disabled all internal administrator accounts to prevent any unauthorized access,” a Verkada spokesperson said in a statement. “Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”
Verkada said it previously limited access to internal administrator accounts to engineers and support staff so they could address customers’ questions and technical issues. Verkada's training program and policies for employees are both clear that support staff members were and are required to secure a customer’s explicit permission before accessing that customer’s video feed, according to the spokesperson.
Although unable to comment on the breach, the Security Industry Association has resources available on its site to help companies improve their cybersecurity and data privacy postures, such as a guide to product and system hardening and a report on the challenges and recommendations for connected physical security products.
Christian Morin, chief security office and vice president of integrations and cloud services at Genetec, a provider of open-platform software, hardware and cloud-based services for the physical security and public safety industry, says that there’s no “silver bullet” when discussing cybersecurity. However, taking steps like separating corporate networks and systems from the ones managing customer data can help mitigate the scope of a breach or prevent it altogether.
“Cybersecurity is a shared responsibility,” Morin said. “All parties involved in the system development, implementation and operation have a critical role to play. It is important that manufacturers, integrators and end users embrace this fact and work together to address this risk.”
Verkada, based in San Mateo, Calif., was founded in 2016. It raised $80 million in venture capital in Jan. 2020, valuing the company at $1.6 billion.