150,000 Verkada security cameras hacked—to make a point

Threat Intelligence Team

Threat Intelligence Team

Hackers were able to gain access to camera feeds from Verkada, a tech company that specializes in video security and physical access control, to demonstrate how prevalent surveillance is, reports say.

Unfortunately, it also exposed the inner workings of hospitals, clinics, and mental health institutions; banks; police departments; prisons; schools; and companies like Tesla and Cloudflare, after at least 150,000 cameras were compromised as part of this demonstration.

Verkada is still investigating the scale and scope of the breach.

The attack

Swiss hacker and member of the hacking collective “APT-69420 Arson Cats,” Tillie Kottmann, claimed credit for the Verkada hack. When asked why, they told Bloomberg: “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism—and it’s also just too much fun not to do it.”

Kottmann was also credited for breaching Intel in August 2020 and Nissan Motors in January 2021.

All of Kottmann’s tweets related to the Verkada hack contain the #OperationPanopticon hashtag, which references the panopticon, a prison architecture that allows a supervisor to have full view of its inmates without them knowing that they’re being watched. It is also a metaphor used to illustrate surveillance technology.

It isn’t clear if this operation is a name for just the Verkada hack, or a name for a series of breaches against surveillance companies that could affect millions, with Verkada just the first company to be targeted and breached.

Speaking to Bloomberg, Kottmann said this incident “exposes just how broadly we’re being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit. It’s just wild how I can just see the things we always knew are happening, but we never got to see.”

Twitter suspended Kottmann’s account after they leaked Tesla security footage.

When asked how they were able to breach Verkada, Kottmann claimed that they were able to get an administrator account credential, which was publicly available online for some reason, with “super admin” rights, which gave them access to any camera, belonging to any of the company’s clients.

IPVM reports that a source “with direct knowledge” discovered that “basically every team member” at Verkada, including executives, had super-admin privileges.

IPVM also reports that super-admin access went further than simply letting the hackers see whatever they wanted:

Not only did Super Admin provide access to video feeds … it provided access to the root shell inside the cameras running inside each customer’s facility.

The response

In a statement about the incident, Verkada confirmed IPVM’s reporting, admitting that attackers had “gained access to a tool that allowed the execution of shell commands on a subset of customer cameras”.

According to the company, attackers gained access via a Jenkins server “used by our support team to perform bulk maintenance operations on customer cameras”, which gave them access to “video and image data from a limited number of cameras from a subset of client organizations”. Attackers also gained access to lists of client account administrators and sales orders.

Seeking to reassure customers, the company said it had now secured its systems.

First, we have identified the attack vector used in this incident, and we are confident that all customer systems were secured as of approximately noon PST on March 9, 2021. If you are a Verkada customer, no action is required on your part.

This isn’t Verkada’s first bout with negative publicity. In October 2020, three employees were fired after they abused Verkada’s own video surveillance system to capture and pass on media of female colleagues with sexually explicit jokes in one of the company’s Slack rooms.

Motherboard’s Vice was able to interview a Verkada employee who was unimpressed by the whole incident, saying “the big picture for me having worked at the company is that it has opened my eyes to how surveillance can be abused by people in power.”

The fallout

The hack raises serious questions about who had access to what, and why, and highlights both the security and privacy risks that come with admin and super-admin accounts. Simply, the more administrators there are, the more targets there are.

Administrator or super-administrator accounts should only be issued to people who need them to do their job, and those people should only use them if an account with lower privileges can’t be used. They should never be used for convenience.

Speaking to Bloomberg about the consent and privacy implications, Eva Galperin, the Electronic Frontier Foundation’s director of cybersecurity, made the point that companies who use a network of cameras may not expect that someone other than the company’s security team are watching them.

“There are many legitimate reasons to have surveillance inside of a company,” Galperin said in a Bloomberg interview. “The most important part is to have the informed consent of your employees.”

Finally, it should not be forgotten that Verkada and its customers were the victims of a crime. Accessing other people’s computers without their consent is still illegal, no matter how good your point is.