March 15, 2021
By Ben Wodecki and Lauren Horwitz
Enterprises choosing cloud-based camera services should double down on security plans. Malicious attackers undertook a massive breach of Verkada security cameras found on various Tesla and Cloudfare sites, as well as in prisons, schools, and hospitals.
An international malicious group is reportedly behind the hack, which has allegedly ideological aims. One of the attackers, Tillie Kottmann, said that the goal of the breach was to fight for “freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism … and it’s also just too much fun not to do it.”
Kottmann and other malicious attackers obtained access to full video archives of all Verkada customers, with footage being leaked online of security cameras inside the Madison County Jail in Huntsville, Alabama, luxury gym chain Equinox, and at Wadley Regional Medical Center, a hospital in Texarkana, Texas, among other locations.
Footage of Telsa’s Shanghai factory was also published online, with transport start-up Virgin Hyperloop saying it too was subject to exposure from this hack.
The group obtained access through a so-called super admin account after obtaining login details of a Verkada administrator account that was posted online.
Following the incident, the malicious attackers reportedly lost access to the cameras and video archives.
“We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement,” a Verkada spokesperson said.
Revoking Access an Ineffective Counterstrategy
The attack is clearproof that while firms such as Tesla and Equinox have used real-time data from surveillance cameras, privacy breaches are a likely downside– although the scale of such an attack likely wasn’t expected. Organizations need to better secure their infrastructure through proactive security-by-design principles and rigorous password management.
Synopsys CyRC principal security strategist Tim Mackey noted that while Verkada was able to revoke the attackers’ access, that doesn’t mean that remote monitoring was disabled – only that the previous credentials were invalidated.
Mackey said, “To Operators of Verkada cameras should reflash each camera with a known good copy of the firmware, as well as look for any indications of compromise on monitoring systems.”
“They then should ensure that the camera network is isolated from the internet, or if that isn’t possible, implement firewall protections to ensure that remote access only occurs from known locations over expected ports.”
Verkada Incident Likened to SolarWinds Breach
Companies should ensure that their own house is as secure as possible, with access restricted to unwanted applications and commonsense controls such as authenticaiton being implemented, said Threatlocker CEO, Danny Jenkins.
Jenkins likened the Verkada breach to the recent SolarWinds breach, where apparent back actors based in Russia obtained access to the software firm to spy on firms such as FireEye as well as several U.S. government departments.
This breach however was enabled by the lack of in-house security control, and then compounded by less than ideal controls in place to stop the attackers from accessing the cameras, Jenkins said.
“We see this over and over again. IF Verkada’s own internal infrastructure is compromised, it is likely that these controls could be disabled. If you take a corporate network that does not have good security in place, something as simple as an email to an unsuspecting user could allow a database of all cameras to be stolen,” he added.
This is also yet another wakeup call for companies that rely on Internet of Things-enabled technologies that their own security is intrinsically tied to the security of their technology providers. The other such events have been similar reminders.
Growing Market Where Security Is an Afterthought
Forrester analyst Allie Mellen warned that personal information can easily be inferred by watching someone on video and agreed that the hack could have been avoided.Had the administrator’s username and password not been exposed online, the hackers would not have gained access to the system.
“Third party security software reviews are critical in order to verify that the products and services organizations work with address security as much as they do. Otherwise, they will be left with a security blind spot,” Mellen said.
Mellen said that digitally-connected home and enterprise security video systems are growing in popularity due to their ease of use. But with proliferation comes exposure, as she added that surveillance measures need to be kept to a minimum and that any recordings are properly handled and destroyed as soon as possible to avoid potential breaches.
But even as such surveillance systems grow in popularity, security appears to be an afterthought in many of the world’s surveillance cameras, Cybereason chief security officer Sam Curry said.
He suggested there are more than surveillance cameras in use around the world. The video surveillance market is expected to be worth $44 billion by 2025 according to, with five billion cameras expected to be deployed by 2027, according to a Reportlinker.com report.
The hack is a reminder of how vast the threat landscape is for the video surveillance market, Curry added.
Given their prevalence and growing use, it’s important to understand security risks posed by IoT cameras, said Nozomi Networks co-founder Andrea Carcano.
Failure to undertake measures to prevent similar unauthorized access could result in privacy, confidentiality, and business harms, she reminded.
You May Also Like