- Hackers have broken into Verkada’s network and accessed all of its cameras and its archive.
- The infiltrators hacked into cameras first and then ran code to move vertically and access everything.
- The implications of the breach are very severe and also widespread, as Verkada has several high-profile customers.
A group of hackers has gone to prove that IoTs have a very long way to go still in terms of security, as they have accessed the live feeds of 150,000 surveillance cameras belonging to police departments, hospitals, prisons, schools, and even companies like Tesla, Cloudflare, and Equinox.
All of the compromised are products of Verkada, an American software and hardware company that specializes in enterprise security camera systems.
The hackers claim to hold the entire video archive of all Verkada customers, which should be of humongous size, and they are leaking various samples of footage showing people’s faces. Verkada stated that all internal administrator accounts have been disabled for now until the hackers’ access has been uprooted beyond any doubt and that they are currently working with investigators and the law enforcement authorities to determine the scale and scope of the incident. Finally, all of the affected customers will receive a relevant notice.
According to Bloomberg – which claims to have inside information from the international hacking collective that performed the breach – the infiltrators first obtained root access on some of the cameras, then executed code remotely, and eventually pivoted to Verkada’s entire network. So, they appear to have worked their way backward, which once again shows the dire risks of insecure IoTs.
The hackers commented to the publication that Verkada has failed to put even the slightest amount of care into securing its platform and products and added that, based on what they have seen, the firm is interested in pursuing nothing but profit. Not even the vendor’s very offices were spared or properly secured, so the hackers got to access live feeds from there too.
And it’s not that Verkada didn’t know about the potential for abuse, even inside its own premises. In October 2020, the firm fired three employees who were caught abusing their access to the company’s facial recognition system to take photos of women colleagues and harass them with sexually explicit jokes. Months after that, it seems that Verkada has failed to take proper securing action.
Rick Holland, Chief Information Security Officer at Digital Shadows, shared the following comment with us:
Verkada positions itself as a “more secure, scalable’ alternative to on-premises network video recorders. The Verkada intrusion is an example of the risks associated with outsourcing services to cloud providers. The video leak is likely to result in regulatory investigations from the Department of Health and Human Services (HHS) for HIPAA/HITECH violations because surveillance footage can be considered protected health information. GDPR violations of personal data could have also occurred, and class action lawsuits could also be on the horizon.