There is no denying that having security cameras at your premises provides that extra layer of security against criminals or anyone carrying out illegal activities. Since these previously isolated cameras are now increasingly connected, they’re more vulnerable than ever to outside hacks, making these devices that are built to ensure security become a potential liability for organisations.
Recently, a group of hackers say that they breached the video security company, Verkada and gained access to 150,000 security cameras installed in schools, hospitals and businesses – and is currently being investigated by the firm that makes them.
This incident has affected several huge companies like carmaker, Tesla and software provider, Cloudflare. According to Cloudflare, it had been alerted that the Verkada security camera system that monitors the main entry points and main thoroughfares in Cloudflare’s offices worldwide may have been compromised.
The hackers were also able to get a live feed from prisons, psychiatric hospitals, clinics and even the office of Verkada itself. Some of the cameras are able to identify and categorise people captured on the footage with facial recognition technology. The hackers also mentioned that they had access to all of the video archive of Verkada’s customers.
So, who was responsible for this? It was actually carried out by an international hacker collective and one of the members of the group, Tille Kottmann, claimed credit for hacking into Verkada’s systems. He mentioned that the reason for the hacking was due to “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism - and it’s also just too much fun not to do it”.
In what looks to be a sophisticated attack, the successful hack attempt was actually rather simple – and what’s worrying is how easily they were able to carry out the deed. They gained access to Verkada through the “super admin” account, which provided them with the capability to browse through the live feed of its customers’ cameras. According to Kottmann, they found the username and password of the administrator account through the internet, which was exposed publicly. A Verkada spokesperson told the BBC that they’ve since disabled all internal administrator accounts to prevent any unauthorised access.
CSA reached out to Tim Mackey, Principal Security Strategist, Synopsys Software Integrity Group to get his comment and he believes that there is always the potential for unauthorised access whenever you deploy an internet-connected device.
“In the case of the compromise of Verkada cameras, attackers were able to access administrative credentials for a significant portion of the Verkada camera network. That Verkada were able to revoke the attacker’s access as one form of remediation doesn’t imply that remote monitoring was disabled – only that the previous credentials were invalidated. It also doesn’t imply that the attackers weren’t able to change the software configurations within the camera or even potentially install other software”, added Tim.
This incident raises the question of the ongoing issue of bad configurations or weak passwords that leave the door open for attackers to take advantage and gain access to highly critical systems. Acronis Co-Founder & Technology President, Stas Protassov, also shared his perspective on the matter, “I’m not surprised this happened – unauthorised access incidents have been an issue for years, it’s sad to see that the awareness is still low”.
Now, how can companies/people protect themselves from such attacks? “They must secure the configuration, restrict access where it must be restricted, remove default accounts and use strong passwords. They also have to update frequently, monitor access logs and separate devices from the rest of the network whenever possible”.
“As for the public service structures, such as police departments, they could be prohibited by local government from using cloud-based solutions for such purposes”, said Stas.