Breach of security cameras worrisome for the industry
Hackers expose flaws in Verkada system used by Tesla, jails and hospitals
A group of hackers say they breached a massive trove of securitycamera data collected by Silicon Valley startup Verkada, gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools.
Companies whose footage was exposed include Tesla and software provider Cloudflare. Hackers also were able to view video from inside women’s health clinics, psychiatric hospitals and the offices of Verkada itself. Some of the cameras, including in hospitals, use facial-recognition technology to identify and categorize people in the footage. The hackers say they also have access to the full video archive of all Verkada customers.
In a video seen by Bloomberg, a Verkada camera inside Florida hospital Halifax Health showed what appeared to be eight hospital staffers tackling a man and pinning him to a bed. Halifax Health is featured on Verkada’s website in a case study entitled: “How a Florida Healthcare Provider Easily Updated and Deployed a Scalable HIPAA Compliant Security System.” A spokesman for Halifax confirmed that it uses Verkada cameras but added “we believe the scope of the situation is limited.”
Another video, shot inside a Tesla warehouse in Shanghai shows workers on an assembly line. The hackers said they obtained access to 222 cameras in Tesla factories and warehouses.
The data breach was carried out by an international hacker collective and intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into, said Tillie Kottmann, one of the hackers who claimed credit for breaching San Mateo-based Verkada. Kottmann previously claimed credit for hacking chipmaker Intel and carmaker Nissan.
Kottmann said their reasons for hacking are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”
Disabled accounts
“We have disabled all internal administrator accounts to prevent any unauthorized access,” a Verkada spokesperson said in a statement. “Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”
Verkada’s chief information security officer, an internal team and an external security firm are investigating the incident. The company is working to notify customers and set up a support line to address questions.
“This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised,” San Francisco-based Cloudflare said in a statement. “The cameras were located in a handful of offices that have been officially closed for several months.” The company said it disabled the cameras and disconnected them from office networks.
Tesla said that, “based on our current understanding, the cameras being hacked are only installed in one of our suppliers, and the product is not being used by our Shanghai factory, or any of our Tesla stores or services centers. Our data collected from Shanghai factories and other places mentioned are stored on local servers.”
People data
Verkada offers a feature called “People Analytics,” which lets a customer “search and filter based on many different attributes, including gender traits, clothing color, and even a person’s face,” according to a Verkada blog post.
Images show that the cameras inside the jail, some of which are hidden inside vents, thermostats and defibrillators, track inmates and correctional staff using the facial-recognition technology. The hackers say they were able to access live feeds and archived video, in some cases including audio, of interviews between police officers and criminal suspects.
Kottmann said their group was able to obtain “root” access on the cameras, meaning they could use the cameras to execute their own code. That access could allow them to pivot and obtain access to the broader corporate network of Verkada’s customers, or hijack the cameras and use them as a platform to launch future hacks. Obtaining this degree of access to the camera didn’t require any additional hacking, as it was a builtin feature, Kottmann said.
The hackers’ methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet.