Hackers easily accessed surveillance cameras in a shocking data breach.
Bloomberg reported today that a group of hackers breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc., gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools.
Notable companies whose footage were exposed include carmaker Tesla Inc. and software provider Cloudflare Inc. In addition, hackers were able to view video from inside women’s health clinics, psychiatric hospitals and the offices of Verkada itself.
The list of clients that use Verkada is broad: in addition to companies like Tesla, Cloudflare, Equinox, and Nissan, the group gained access to Verkada cameras inside Halifax Health, a Florida hospital; Sandy Hook Elementary School in Newtown, Connecticut; Madison County Jail in Huntsville, Alabama; and Wadley Regional Medical Center, a hospital in Texarkana, Texas. The group also says that it was able to access the full list of Verkada’s thousands of customers and its private financial information.
Who is Verkada?
Verkada offers cloud-connected security cameras with a web-based interface for companies to monitor their camera feeds. This gives customers the ability to watch and store real-time video from any location. Verkada offers the equipment required to monitor any desired areas, plus building automation gear that keeps track of temperature, motion, noise, and door access.
Additionally, Verkada also boasts artificial intelligence features that can track individuals. Called “People Analytics,” this software searches for specific people based on their face, clothes, any accessories they’re carrying, and their gender, and allows them to be tracked as they move around.
The selling point of their AI features is that it improves public safety and security by detecting unusual occurrences that possibly pose a danger. The end goal is to stop crimes before they occur. These kind of “video analytics” systems are becoming more and more popular as companies and organizations turn to them to prevent anything from petty theft to mass shootings.
How Did The Hackers Do It?
Their method was relatively simple. The group managed to gain admin-level access to Verkada’s system using a username and password they found publicly available on the internet. After finding the credentials, they were able to move freely within Verkada’s internal network and had root access to individual cameras. This allowed them to use the cameras to execute whatever code they wanted, giving them the ability to potentially perform further, escalated attacks. The hackers were also able to subsequently infiltrate some customer networks by using the camera’s connection as a starting point.
Besides accessing the live feeds of individual cameras, the hacker group was also able to infiltrate the complete video archive that contains files saved by Verkada’s users to the cloud. The centralized nature of the company’s software enabled the attackers to browse a massive amount of data with just a few clicks.