Hackers have breached the network of Silicon Valley startup that provides surveillance cameras to prisons, hospitals, schools, and police departments, along with major tech companies such as Tesla and Cloudflare.
The breach provided access to the live feeds of 150,000 security cameras, some of which use facial recognition technology to identify and track the people on screen.
Security Breach Provides Access to Security Cams
The Bloomberg report identifies Silicon Valley firm Verkada Inc. as the victims of the hack.
Verkada provides surveillance camera services to hundreds of companies across the US, with clients ranging from hospitals to police precincts, tech companies, gyms, and everything in-between. Even Verkada’s own offices were hit in the security breach.
Footage seen by Bloomberg showed the hackers in control of a security camera inside the Halifax Health facility in Florida. At the time, the footage showed “what appeared to be eight hospital staffers tackling a man and pinning him to a bed.”
A second video showed the internal workings of a Tesla factory in Shanghai. The hackers said they had access to “222 cameras in Tesla factories,” while yet another video showed police officers questioning a handcuffed man in a Massachusetts police station.
The hackers say they also gained access to the security cameras of Sandy Hook Elementary School in Newtown, Connecticut, where a gunman killed more than 20 people in 2012.
Hacking Collective Breaches Verkada
It’s a big data breach affecting a range of targets, covering all manner of public and private life and business. An international hacking collective carried out the ingress, with one of the hackers, Tillie Kottmann, claiming the intent is to show how pervasive all-encompassing surveillance has become, but how lax security is for this vital infrastructure.
The collective revealed how they managed to access the company’s network, too. It wasn’t a zero-day exploit or a fancy hack. No, the group access Verkada’s “Super Admin” account using a username and password combo they found on the internet. From there, it was a matter of logging in and exploring, recording camera footage and data collection practices of Verkada’s substantial client list.
In a statement to Bloomberg, a Verkada representative said, “We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this potential issue.”
Regardless of how you feel about network intrusion, there is little doubt that the Varkada breach highlights a dangerous and prominent issue for companies using surveillance cameras. It is one thing to purchase and install the security system, but how can you continue to vet the surveillance company after the fact?