A hacking collective has acquired access to the systems of Verkada Inc., a Californian security camera startup, and viewed the live feeds and archived video footage from surveillance cameras connected to the cloud, which are utilized by big corporations, hospitals, police departments, schools, and jails.
As originally reported by Bloomberg, a white hat hacking group called Advanced Persistent Threat 69420 accessed Verkada’s systems by using credentials they got online. The credentials allowed the group to have super admin-level privileges, so it has root access to the surveillance cameras and, in certain instances, the internal systems of Verkada’s customers. The hackers likewise said they could get the complete listing of Verkada customers and access the company’s private financial data.
The group hacked Verkada’s systems, not with the intent to do any malicious activities, rather the purpose was to increase awareness regarding the ease of hacking its systems. Malicious hackers could likewise have effortlessly acquired access to Verkada’s systems for a variety of malicious reasons.
Till Kottmann, a hacker in the collective, explained that her collective hacked Verkada’s systems on March 8, 2021 and got complete access for about 36 hours. Because the system was entirely centralized, it was very easy to get into it and obtain its clients’ camera footage. Kottmann called the Verkada’s security “nonexistent and irresponsible.” The company’s internal development system was exposed online. Additionally, a system account’s hard-coded credentials were kept in an unencrypted subdomain with full access.
The hackers were able to utilize the credentials to sign in to the cloud-based systems utilized by all clients to gain access to their own security cameras, except the super admin privileges, which permitted them to access all of the customers’ security cameras.
The camera footage obtained by the collective was from corporate clients such as Tesla, Cloudflare, Equinox, and Nissan, The camera feeds obtained were from Sandy Hook Elementary School in Newtown, CT, Madison County Jail in Huntsville, AL, and others.
The security cameras installed in the ICU departments in hospitals, including Wadley Regional Medical Center in Texarkana, TX and Halifax Health in Florida were likewise accessible.
Verkada released a statement regarding the hacking episode, stating that all internal administrator accounts were disabled to avoid unauthorized access. Its internal and external security teams are looking into the extent of this problem. Law enforcement has been notified, including all affected clients. The breach is currently being investigated.
Surveillance Cameras Can Pose a Security Risk
The hacking episode gives a warning about the risks of surveillance cameras. Although security cameras can help with security, they could also be a security weakness. This incident is definitely noteworthy but Verkada isn’t the only security camera firm that has been breached.
In 2020, the threat group responsible for the FBot and Chalubo botnets – which targets insecure IoT devices – was identified to be taking advantage of vulnerabilities in CCTV cameras made by LILIN, Taiwan and utilizing the IoT devices for DDoS attacks.
Additionally, in 2020, vulnerabilities were discovered in close to 700,000 security cameras which include those produced by Alptop, COOAU, Ctronics, Besdersec, CPVAN, Dericam, Jennov, Luowice, LEFTEK, QZT, and Tenvis. Users of these security cameras are in danger of being hacked. The vulnerabilities can be exploited to circumvent firewalls and steal security passwords. The vulnerabilities were found in a Shenzhen Yunni Technology Company’s P2P solution that was utilized by the camera makers.