10 Mar 2021

When 150,000 video surveillance cameras get hacked, it’s big news. Even if the main reason for the hack was to make a point. Even if the major consequence is bad publicity for a video company (and, by extension, the entire video surveillance industry).

The target of the hack was Silicon Valley startup Verkada, which has collected a massive trove of security-camera data from its 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools. Previously, Verkada has been known for an aggressive sales approach and its intent to disrupt the traditional video market.

The data breach was accomplished by an international hacker collective and was first reported by Bloomberg. The reported reasons for the hack were “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism – and it’s also just too much fun not to do it,” according to Bloomberg.

Tesla amongst those impacted

The “fun” included access to a video showing the inside of a Florida hospital, where eight hospital staffers tackled a man and pinned him to the bed. Inside a Massachusetts police station, officers are seen questioning a man in handcuffsA view inside a Tesla warehouse in Shanghai, China, showed workers on an assembly line. Inside a Massachusetts police station, officers are seen questioning a man in handcuffs. There are even views from Verkada security cameras inside Sandy Hook Elementary School in Connecticut, where a gunman killed more than 20 people in 2012.

In a “security update” statement, Verkada reports: “Our internal security experts are actively investigating the matter. Out of an abundance of caution, we have implemented additional security measures to restrict account access and further protect our customers.”

Hacking was possible due to built-in feature

The hacker group was able to obtain “root” access on the cameras, meaning they could use the cameras to execute their own code, reports Bloomberg. Obtaining this degree of access to the camera did not require any additional hackingUsing that access, they could pivot and obtain access to the broader corporate network of Verkada’s customers or hijack the cameras and use them as a platform to launch future hacks, the hackers told Bloomberg. Obtaining this degree of access to the camera did not require any additional hacking, as it was a built-in feature.

Elisa Costante, VP of research for cybersecurity firm Forescout, calls the Verkada security camera hack "shocking."

"Connected cameras are supposed to provide an additional layer of security to organisations that install them,” she says. “Yet, as the Verkada security camera breach has shown, the exact opposite is often true. [It is worrisome that] the attack wasn't even very sophisticated and didn't involve exploiting a known or unknown vulnerability. The bad actors simply used valid credentials to access the data stored on a cloud server.”

Super Admin account had access to all cameras

Hackers gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. They found a username and password for an administrator account publicly exposed on the internet, according to Bloomberg. The hackers lost access to the video feeds and archives after Bloomberg contacted Verkada.Hackers lost access to the video feeds and archives after Bloomberg contacted Verkada

The results could have been worse, says Costante. "In this case, the bad actors have seemingly only resorted to viewing the footage these cameras have captured. But they are likely able to cause a lot more damage if they choose to do so, as our own research team has discovered. We were able to intercept, record and replace real-time footage from smart cameras by exploiting unencrypted video streaming protocols and performing a man-in-the-middle attack. This effectively gives criminals a virtual invisibility cloak to physically access premises and wreak havoc in the real world.”

Impact on broader video surveillance industry

The impact of a well-publicised cyber-attack on the broader video surveillance industry is also a concern. “As an industry, and as manufacturers in physical security, we cannot take these hacks lightly,” says Christian Morin, CSO & Vice-President of Integrations & Cloud Services, Genetec. “The potential broad-reaching impact of these hacks on physical security systems, including providing a beachhead to facilitate lateral movement onto networks, resulting in data and privacy breaches or access to critical assets and infrastructure, cannot be overstated. It is our responsibility and duty to users of our technology to prioritise data privacy and cybersecurity in the development, distribution, and deployment of video surveillance systems.”

Widespread government and healthcare use

The Verkada cameras are in widespread use within government and healthcare, which are by far the company’s most dominant verticals. Lesser verticals for them are manufacturing, financial and retail.The Verkada website pledges to take privacy seriously

Verkada’s line of hybrid cloud security cameras combines edge-based processing with the capabilities of cloud computing. Cameras analyse events in real-time, while simultaneously leveraging computer vision technology for insights that bring speed and efficiency to incidents and investigations. Command, Verakda’s centralised web-based platform, provides users with access to footage they need. Motion detection, people analytics, and vehicle analytics enable searches across an organisation to find relevant footage.

The Verkada website pledges to take privacy seriously: “We are passionate about developing products that enhance the security and privacy of organisations and individuals. We believe that well-built, user-friendly systems make it easier to manage and secure physical environments in ways that respect the privacy of individuals while simultaneously keeping them safe.”