Grant Gross | Washingtonexaminer.com »
A massive hack of security cameras from a security vendor Verkada has exposed about 150,000 live video feeds, including dozens of Tesla factory and warehouse cameras and security feeds inside hospitals, police departments, and jails.
A hacktivist collective claimed credit for the early March breach, saying that the purpose of the attack was to demonstrate the pervasiveness of video surveillance and the ease with which video cameras can be compromised. Swiss police raided the home of hacker Tillie Kottmann, a member of the collective, on March 12, but the search warrant was focused on an older data breach.
The hacker collective claimed to have found “super admin” account credentials linked to all Verkada customers in materials available on the internet.
On March 15, Verkada said it had notified all customers it believed were affected, although an investigation was still open. The company said it secured all camera feeds on March 9, shortly after the breach was reported.
Earlier, Verkada CEO Filip Kaliszan said the company had fallen short of its goal to “build the world’s safest and most sophisticated physical security systems.”
While the hacker collective’s motivation might be described as mischief, the breach shows the potential security flaws with internet-connected security cameras. The attackers apparently found an account with access to several Verkada customers, noted Andrea Carcano, co-founder of Internet of Things security provider Nozomi Networks.
He noted that when companies choose a cloud-based service, they need to consider that the security risks are different from a video surveillance system operated on-premises.
“This is clearly an insecure design,” he told the Washington Examiner. Since cloud-based services “are potentially concentrating data from many customers in a single place, you need to verify with the provider that a thorough separation of data is in place.”
The breach appears to stem from Verkada inadvertently leaving an admin-level password exposed, noted Saryu Nayyar, CEO of cybersecurity firm Gurucul.
“If true, it points to a policy failure and a lack of adequate access controls,” she told the Washington Examiner. “While the attackers claim to be up to a bit of mischief rather than disruptive crime, it is still illegal.”
The breach can also be attributed to an insider threat, added Bryson Bort, CEO of SCYTHE, which makes adversary emulation tools.
“Employees at Verkada had super admin privileges, which allowed them access to all cameras. This means they could spy on customer feeds without their knowledge,” he told the Washington Examiner. “This is an example of bad security practices and the erosion of trust and privacy with customers.”
Customers depend on vendors to have good security in place “with ubiquitous, always-on, and connected devices because there is no way for them to know what’s really happening,” he added.
Vendors such as Verkada need to apply multifactor authentication to super admin accounts with root privileges, added Ray Canzanese, director at cloud security vendor Netskope Threat Labs.
These types of attacks are preventable if companies have tighter control over these credentials to prevent leaks, use multifactor authentication to prevent leaked credentials from being used, and monitor access, he said.
“These types of attacks are becoming more common as more organizations move to cloud and don’t have the policies or measures in place to secure a cloud-first environment,” he told the Washington Examiner.
Companies should limit access to a super admin account to “very few people” and regularly cycle login credentials, he advised.
“The goal is to make it such that even if someone gets their hands on the credentials, they won’t be able to authenticate without the [multifactor] token,” he added. “It makes the attacker’s job that much harder.”
Security experts, meanwhile, said capturing live feeds could potentially be used for more than mischief or making a point. Live video could also be used to capture internal business processes, credentials, or other sensitive information, said Pieter VanIperen, managing partner at IT consulting firm PWV Consultants and a former cloud security executive.
In other cases, live video footage could be used to blackmail companies or people caught on camera, he added.
A live feed could be used to catch an employee “in the act of doing something wrong or illegal,” he told the Washington Examiner. “This would allow an attacker to blackmail said employee for credentials or other internal information in exchange for silence.”