March 10, 2021

Who’s watching? Verkada security camera hack hits Tesla, schools and hospitals

By Ellen Daniel

Tesla is one of the victims in a hack attack against Californian security firm Verkada, which reportedly affected 150,000 of its security cameras.

The Silicon Valley-based startup provides cloud-connected security cameras, offering both hardware and software solutions.

According to Bloomberg, hackers were able to access security cameras located within Tesla factories, Cloudflare offices, hospitals and police stations, among other locations. The cybercriminals also accessed cameras inside Sandy Hook Elementary School in Connecticut, US, where a gunman shot and killed 28 people in 2012.

The perpetrators were able to gain administrative access to the company’s network and view both live video feeds and video archives belonging to Verkada customers using a username and password found online. They also accessed the company’s private financial information.

“Connected cameras are supposed to provide an additional layer of security to organisations that install them,” said Elisa Costante, VP of research at Forescout. “Yet, as the shocking Verkada security camera breach has shown, the exact opposite is often true. Worryingly, the attack wasn’t even very sophisticated and didn’t involve exploiting a known or unknown vulnerability. The bad actors simply used valid credentials to access the data stored on a cloud server.

“In this case, the bad actors have seemingly only resorted to viewing the footage these cameras have captured. But they are likely able to cause a lot more damage if they choose to do so, as our own research team has discovered. We were able to intercept, record and replace real-time footage from smart cameras by exploiting unencrypted video streaming protocols and performing a man-in-the-middle attack. This effectively gives criminals a virtual invisibility cloak to physically access premises and wreak havoc in the real world.”

According to Tillie Kottmann, claiming to be one of the hackers behind the breach, they hacked the cameras because of reasons involving “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism – and it’s also just too much fun not to do it”.

A Verkada spokesperson told Bloomberg that internal administrator accounts have now been disabled to prevent unauthorised access, and that the scale and scope of the incident are being investigated. It also said that law enforcement have been informed.

Darren Guccione, co-founder and CEO of Keeper Security, said that the incident should be a “wakeup call” for organisations’ cybersecurity practices.

“The simplicity of this attack is what makes it so dangerous,” Guccione said. “These account credentials were found online. A cybercriminal with the right resources and access to the dark web could have eventually accessed them. This should serve as a wakeup call. It’s a classic example of the need for robust password hygiene and cybersecurity best practices. Every organisation should understand that cybercriminals have now placed over 20 billion stolen login credentials from public data breaches on the dark web. If action isn’t taken to appropriately monitor the dark web and maintain password security technology within the organisation, the results could be irreparable.”

Verdict has reached out to Verkada for comment.


Read More: Security flaw in Ring Neighbors app reveals users’ locations.