Thousands of Verkada cameras have been affected by a breach from a group of hackers, who have reportedly gained access to surveillance systems inside several high profile companies, police departments, hospitals, prisons and schools.
Organisations using the vendor’s cameras said to be affected include Tesla and software provider Cloudfare, while Bloomberg has reported that the hackers also gained access to footage inside psychiatric hospitals and health clinics.
The data breach is said to have been carried out by an international hacker collective, with one of the individuals involved explaining the reasons behind the attack were “lots of curiosity, fighting for freedom of information… and it’s also just too much fun not to do it”.
A Verkada spokesperson told Bloomberg that the company has “disabled all internal administrator accounts to prevent any unauthorised access”, and that its internal security team “are investigating the scale and scope of the issue, and we have notified law enforcement”.
The company apologised to customers on Friday 12th March, saying it “fell short of our goals” and was “deeply sorry”. CEO, Filip Kaliszan, outlined a plan the business has developed to guide its work in the future, as it seeks to “redouble [its] efforts to strengthen the safeguards in [its] products and earn back trust”. Some of these measures are set to include a refocusing of engineers, engaging third-party experts and weekly customer webinars.
Read the full statement from Verkada, here.
Many of the cameras utilise video analytics software, including facial recognition and tracking technology. The hackers have said they’ve been able to access live feeds and archived video, as well as audio.
Graphic from The Video Surveillance Report 2020
The breach was described as ‘unsophisticated’, with the hacking group using a ‘super admin’ account to gain access, with the spokesperson from the collective saying they found the administrator username and password on the internet.
The news will likely raise further concerns over the inherent cyber protection in physical security devices – an issue experts have been highlighting for some time, as they call for growing awareness of potential vulnerabilities and the uptake of converged security solutions to cover both cyber and physical attacks.
In IFSEC Global’s Video Surveillance 2020 Report, 76% of security end-users and consultants said they were either ‘quite’ or ‘very’ worried about the vulnerability of their surveillance systems to cyber-attacks, with almost half citing ‘back doors created by manufacturers for customer support and troubleshooting’ as the main cause of concern. Inadequate protection within surveillance hardware was cited as the third biggest potential vulnerability in surveillance systems, too.
Sarb Sembhi, CTO & CISO at Virtually Informed, and regular contributor to IFSEC Global on the subject, commented: “If the attackers are to be believed (and there is no reason not to believe them), then creating a device with default username and password that doesn’t have to be changed on installation is most obviously bad practice. Especially, given that almost every mass CCTV system attack we hear of has been as the result of this very same issue. One would like to think that any security company, be it physical or cyber security understood the stakes of having high profile clients enough to at least get this one simple thing right.
“I think it interesting that the vendor finishes by saying that law enforcement have been informed – as if that would make up for the fact that they have lapsed in their responsibility to change the admin password. However, a big a failing this may be, so far the industry doesn’t seem to have come up with a simple solution for systems managers to be able to create, store and use passwords effectively, or to have added a second authenticating factor in such systems. If there were such solutions, it would reduce the internal discussion around how are we going to remember 150K passwords.”
Elisa Costante, VP of Research at Forescout, added: “Connected cameras are supposed to provide an additional layer of security to organisations that install them. Yet, as the shocking Verkada security camera breach has shown, the exact opposite is often true. In this case, the bad actors have seemingly only resorted to viewing the footage these cameras have captured. But they are likely able to cause a lot more damage if they choose to do so, as our own research team has discovered. We were able to intercept, record and replace real-time footage from smart cameras by exploiting unencrypted video streaming protocols and performing a man-in-the-middle attack. This effectively gives criminals a virtual invisibility cloak to physically access premises and wreak havoc in the real world.
“In fact, based on our own research, the Verkada cameras are in widespread use within government and healthcare, leaving those organisations particularly vulnerable to these kinds of attacks. The only way for organisations to adequately protect themselves is to ensure they have a comprehensive device visibility and control platform in place.”
Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.
Sign up now!
