The surveillance hack

The breach of Verkada was carried out by an international hacking collective that was supposed to demonstrate the ubiquity of video surveillance and the ease with which systems can be broken. Tillie Kottmann, one of the hackers who claimed the breach, also claimed the hacks from Intel and Nissan Motor.

The hackers claimed to have stolen footage from more than 200 cameras connected to a Tesla warehouse. The hackers claimed to have stolen the data to show how easy it was to hack the device and how ubiquitous surveillance cameras are across the country. After receiving the footage, the hackers gained access to the administrator account and obtained unmasked login credentials to set up the account.

Other cameras use facial recognition technology to identify people, according to Verkada’s website, which divulges potentially sensitive personal information about patients, students and employees of Verkada customers. In some cases, the built-in features of certain cameras allowed hackers to use them to launch separate hacks into Verizon customers’ corporate networks, Bloomberg reported.

Verkada promotional materials claim the camera is capable of recognising people’s faces and filtering results based on clothing colour, apparent gender and the presence of a backpack. According to the Verkada website, the camera has facial recognition as a basic feature, but customers do not have to choose to use it. The table does not say how many cameras the organization has or how often it uses the cameras. The company confirmed that administrators had withdrawn access to the camera. Despite the spreadsheet, it is unclear whether Australian customers will be able to use facial recognition.

Verkada, based in San Mateo, California, is launching its cloud-based surveillance services as part of the next generation of job security. Its software recognizes people in front of the camera and provides a “personal history” feature that allows customers to recognize and track a face and other attributes such as clothing color and likely gender. However, not all customers use the function. Verkada attracted negative attention last year when the news site IPVM reported that a VerKada employee passed around photos of female employees collected by the company’s office cameras and made sexually explicit comments about them.

A Verkada spokesman said its systems were secure and that the company had blocked unauthorized access by disabling internal administrator accounts. The company, which said it had not received any threats against its systems, notified law enforcement, its internal security team and an external security firm to investigate the extent and scope of the breach.

Verkada and its competitors advertise their centralized surveillance devices as a charge of public safety by ensuring people’s safety, identifying threats and deterring crime before it occurs. Sales of high-resolution cameras start at $599, and cloud licenses start at $199 a year. The company also sells special $1,999 television stations that can stream up to 36 cameras simultaneously.

CloudFlare also uses Verkada for cameras in our offices in San Francisco, Austin, New York, London and Singapore. These cameras are used to enter and leave the main thoroughfares near our offices, in part to maintain security when the offices close throughout the year.

This is a wake-up call for businesses that rely on the Internet of Things so that technologies can combine their own security with the security of their technology providers. If Verkada’s own internal infrastructure is compromised, the controls are likely to be disabled. Other such events should serve as a similar reminder. They can dismantle a corporate network if there is no good security, and a simple email to an unsuspecting user could allow a database of cameras to be stolen, “he added.

The Verkada surveillance camera is a powerful part of the Internet of Things (IoT). It’s not your typical baby monitor or puppy camera. It has the ability to identify individuals by recognizing their faces, and is able to filter them by gender, the color of their clothing, and other characteristics. It can also detect unusual movements and be used to gather information and search the time of the footage to include certain individuals.

The hacker was able to download the entire list of Verkadas customers. When Verkada contacted the company, they lost access to the feeds. The company is investigating the incident and the victim’s response, but it appears that the incident was limited in scope.

It is not the network that is important, but access control. If we used the networks in the old moat instead of trust in the corporate networks, the result would be different. Zero confidence is more powerful than ever. [Sources: 4]

Kottmann said his group discovered that the Verkada administrator’s usernames and passwords were stored on unencrypted subdomains. The company, he said, also exposed internal development systems to the Internet that contained code and credentials for system accounts, giving the company full control over its systems with super-admin privileges.