A group of hackers claims to have breached security camera data held by Verkada Inc. The hackers allegedly got access to live feeds of over 150,000 surveillance cameras inside businesses, prisons, police departments, hospitals, and even schools. Companies affected by the breach include Cloudflare and Tesla. Some of the cameras had facial-recognition technology, allowing the hackers to identify the people in the footage. The hackers also claim to have access to the full archive at Verkada.
A video shared by Bloomberg appeared to show the inside of Halifax Health hospital in Florida. The footage showed eight workers tackling a man and pinning him to his bed. Halifax Health is listed on the Verkada website as part of a case study titled “How a Florida Healthcare Provider Easily Updated and Deployed a Scalable HIPAA Compliant Security System.” A spokesperson for the hospital verified they use Verkada cameras but added the hospital believes the damage is limited.
Hacking or Hacktivism?
The breach is the work of an international hacking collective and appears to be a statement on the pervasiveness of video surveillance and the apparent ease these systems can be compromised, according to Tille Kottmann, one of the hackers taking credit for the attack. Kottmann has previously claimed credit for hacking Intel and Nissan and claims to hack out of curiosity and to fight for the freedom of information and against capitalism.
A Verkada spokesperson said the company has disabled internal administrator accounts and is investigating the full scale of the issue. The company has also contacted law enforcement. The company has set up a support line to address any questions and concerns over the incident and is contacting those affected.
One worrying aspect of the hack is the potential of Verkada cameras. The company offers “People Analytics,” allowing users to search and filter based on attributes such as gender traits, clothing, and even facial traits. One video showed a feed inside a jail where the hackers could use facial recognition to identify and track individual inmates and correctional staff. The hackers also had access to police interviews with suspects.
How Did the Hackers Gain Access?
Kottmann claims the group obtained “root” access to the cameras, allowing them to execute their own codes. This could, in theory, give the hackers access to the wider corporate networks or hijack the cameras to use as tools in future attacks. Kottmann claims this was a feature built into the cameras and that their team didn’t have to do any extra work to obtain it.
The actual hacking method was rather unsophisticated, further showing how inept the security of the cameras was. The team gained access to a “Super Admin” account that gave them access to the complete customer network. The group found the username and password for an administrator account on the internet. The hackers lost access to the account when news agencies contacted the company for information.
Kottmann says the hack exposes how much the average person is surveilled, and how easily broken those surveillance systems are. The hacking group, which operates under the name “Advanced Persistent Threat 69420,” managed to download a full list of Verkada customers as well as financial data about the company. The group may have lost access to the admin account, but the full extent of this hack remains to be seen.