Verkada, a major provider of surveillance cameras to a variety of facility types throughout the United States, suffered a data breach that exposed the contents of many of its live camera feeds. A hacktivist group was able to access over 150,000 Verkada cameras simply by taking control of a corporate “super admin” account via credentials that they say were publicly posted on the internet.
Once inside Verkana’s network with privileged access, the hackers were able to peer in on a troubling variety of settings: private homes, views of ICU beds, prison cells, interrogation rooms, gyms and elementary schools just to name a few. They were also able to get a peek at the internal workings of a Tesla plant in Shanghai and the corporate offices of Cloudflare thanks to Verkada cameras in use there.
Data breach highlights contractor access to private spaces, and the cost of vulnerabilities
Verkada sells surveillance cameras that incorporate an AI-driven face and object recognition technology called “People Analytics.” The service relies on cloud-based video processing that allows customers to filter footage by individual traits such as clothing color or gender.
This added functionality requires internet connectivity, and Verkada appears to have failed miserably at securing this aspect of the system. A hacker collective that jokingly refers to itself as “Advanced Persistent Threat 69420” is responsible for the data breach, but calling the incident a “hack” may be a stretch; the hackers claim they found the admin account credentials listed in materials available to the general public over the internet.
The hackers report having had 36 hours of unfettered access to Verkada’s surveillance cameras, with the data breach only being remedied after they reported it to Bloomberg News. The hackers said that during the data breach window they not only had access to live feeds, but to the complete archive of video that Verkada keeps. They shared various videos with Bloomberg as evidence, including footage from a Florida hospital showing eight staffers tackling and restraining a man and assembly line workers at a Tesla factory in Shanghai.
The hacking groups considers itself “hacktivist” in nature, releasing a statement that the data breach was in the service of freedom of information, anti-capitalism and “a hint of anarchism” in addition to demonstrating the pervasiveness and security weaknesses of surveillance cameras. The group also claims credit for prior hacks of Intel and Nissan Motor Company. The Intel data breach took place in August of 2020 and saw the leak of 20 GB of internal documents regarding the company’s CPUs and sensors made for Elon Musk’s SpaceX. The Nissan data breach took place in early January; a misconfigured Git server exposed the source code for some of the company’s mobile apps and internal tools.
As if full access to customer live feeds and video archives across the nation was not enough, the hackers found even more goodies available with their illicit superadmin status. They had root access to all of the connected devices, meaning that they were theoretically able to execute malicious code and move laterally into customer networks that interface with the surveillance cameras. They were also able to download a full list of Verkada customers as well as the company’s non-public financial statements.
Verkada issued a statement indicating that its chief security officer and internal team were investigating the data breach in cooperation with an unnamed external security firm. The company contained the breach by temporarily disabling all internal administrator accounts until the leaked one was found; the hackers reported that their access was cut off shortly after Bloomberg notified Verkada of the breach.
Setu Kulkarni, Vice President of Strategy at WhiteHat Security, expands on how this incident illustrates the importance of a clear “digital chain of custody” at any organization: “If one conceptualizes the security requirements of an organization around the “digital chain of custody” – securing all elements of the digital chain of security is critical – Data, Infrastructure, Device, Endpoint, Application and Identity. Each one of those elements presents potential gateways to a breach. This breach is illustrative of how multiple simple gaps across multiple elements of the “digital chain of custody” can be combined to orchestrate a significant breach. In this case, the fact that the super-admin account information was freely available and the fact that missing security controls on the device are considered “by-design”, point to how a combination of security gaps across the “digital chain of custody” resulted in such a significant breach.”
Surveillance cameras & facial recognition continue to be a contentious topic
The incident will likely add more fuel to a debate over surveillance cameras that has already become contentious in recent years, particularly their use in law enforcement and for the scanning of public spaces.
The hackers were able to access a number of different cameras located in police departments, jails and holding facilities. One of the videos shared with Bloomberg showed the interrogation of a man in handcuffs. Other images indicated that cameras in these facilities are often hidden in vents, thermostats and wall-mounted emergency defibrillators. Many came packed with 4k video, audio and Verkana’s facial recognition abilities.
The administrative credentials also gave the hackers access to previous videos stored on client systems. At the detention facility for Arizona’s Graham County, the hackers found videos with titles that appeared to be making fun of the inmates in the midst of mishaps or possible incidents of violence (such as “ROUNDHOUSE KICK OOPSIE” and “AUTUMN BUMPS HIS HEAD”).
A number of major cities have banned law enforcement use of facial recognition tools; these include San Francisco, Oakland, Boston and Portland. The central argument is that it is presently too inaccurate and prone to fueling bias, and constitutes a privacy-invasive form of mass surveillance.
The Verkada data breach incident has the potential to swing some of the supporters of omnipresent surveillance cameras, with some of the videos the hackers accessed hitting a little too close to home. The hackers viewed surveillance cameras inside of Sandy Hook Elementary School, the site of the horrifying mass shooting of children in 2012, and even watched a Verkada employee inside his own home as he assembled a jigsaw puzzle with his children.
It is unclear exactly how many Verkada employees had access to customer videos and feeds. A company statement indicated that administrative access at this level was provided to “engineering and support staff” for the purpose of “address(ing) technical issues.” An anonymous former company employee told the Washington Post that Verkada employees commonly had access to customer cameras without any sort of formal process in place to request it. The hackers did not reveal exactly how or where they found the publicly posted superadmin password, but if their story is to be believed it is reasonable to speculate that it was a widely-used shared login that slipped outside of the company network somehow.
Verkada is likely to face regulatory consequences given the nature of the data that was compromised. Rick Holland, Chief Information Security Officer at Digital Shadows, speculated on some of the possibilities: “The video leak is likely to result in regulatory investigations from the Department of Health and Human Services (HHS) for HIPAA/HITECH violations because surveillance footage can be considered protected health information. GDPR violations of personal data could have also occurred, and class action lawsuits could also be on the horizon.” Ilia Kolochenko, founder and CEO at ImmuniWeb, provided some further insight on how specific state laws might impact for Verkada: “This incident will likely trigger an avalanche of legal and judicial costs for the affected companies as the leak of such data is a reportable security incident under many state and federal laws. Moreover, individual notifications to the exposed victims filmed by the compromised cameras, or even notifications by a press release, may be required as a matter of law depending on the specific usage and location of the branched cameras … The US has already enacted a federal law to prevent insecure IoT devices from being supplied to the Federal government via the “IoT Cybersecurity Improvement Act” in 2020. States like California and Oregon also pioneered state regulation of IoT security by enacting state laws. The California law is quite comprehensive from a technical viewpoint but is comparatively toothless: individuals cannot sue under the law and there are no fixed monetary penalties like under CCPA/CPRA that serve as a formidable deterrence for those who misuse personal data of the state citizens.”