A cyber attack on video surveillance startup Verkada that has seen around 150,000 video cameras, many of them in secure locations, compromised by a hacktivist collective, is prompting warnings both around basic security hygiene, and the ethics of surveillance technology.
According to Bloomberg, the group behind the attack, which has self-designated as APT-69420, accessed video feeds from facilities operated by carmaker Tesla, web infrastructure and security specialist Cloudflare, gym chain Equinox, and multiple education, healthcare and prison facilities.
A representative of the group told the news organisation that they gained access after finding Verkada admin credentials exposed on the internet, and from there they were able to obtain root access to its installed hardware base, which could have enabled them to move laterally across its customers’ networks and establish persistence for future attacks – something the group appears not to have done.
In a statement shared with Bloomberg, Verkada said it had disabled all internal admin accounts to prevent any further access, as well as engaging its own security team and external experts to investigate the breach. It has also notified law enforcement, and at the time of writing, APT-69420 appears to have been expelled from its systems.
The successful attack highlights cyber security failings across the board. Darren Guccione, CEO and co-founder of Keeper Security, a password management specialist, said the simplicity of APT-69420’s attack was what made it so dangerous.
“The simplicity of this attack is what makes it so dangerous,” said Guccione. “These account credentials were found online [so] a cyber criminal with the right resources and access to the dark web could have eventually accessed them.
“It’s a classic example of the need for robust password hygiene and cyber security best practices. Every organisation should understand that cyber criminals have now placed over 20 billion stolen login credentials from public data breaches on the dark web. If action isn’t taken to appropriately monitor the dark web and maintain password security technology within the organisation, the results could be irreparable.”
Customer inconvenience
Elisa Costante, vice-president of research at internet of things (IoT) security specialist Forescout, who has previously explored the extent of Verkada’s estate, said the breach was also highly awkward for the firm’s customers.
“Based on our own research, the Verkada cameras are in widespread use within government and healthcare, leaving those organisations particularly vulnerable to these kinds of attacks. The only way for organisations to adequately protect themselves is to ensure they have a comprehensive device visibility and control platform in place,” she said.
“In this case, the bad actors have seemingly only resorted to viewing the footage these cameras have captured. But they are likely able to cause a lot more damage if they choose to do so, as our own research team has discovered.
“We were able to intercept, record and replace real-time footage from smart cameras by exploiting unencrypted video streaming protocols and performing a man-in-the-middle attack,” said Costante. “This effectively gives criminals a virtual invisibility cloak to physically access premises and wreak havoc in the real world.”
Niamh Muldoon, global data protection officer at IAM supplier OneLogin, said the consequences for Verkada were likely to be significant. “Video footage has the ability to identify an individual and is classified as ‘sensitive’ under privacy regulations such as GDPR and/or CCPA,” she said. “Therefore, Verkada are likely to see a huge financial impact as a result of this data breach.
“Customers will want assurance that they are protected from a range of physical and cyber security threats, including identity theft,” she said. “Privacy and industry regulators will be examining Verkada operations to assess whether appropriate controls were in place to protect these highly sensitive and regulated data types.”
Meanwhile, Stephen Kapp, chief technology officer and founder of Cortex Insight, a threat intel specialist, shared guidance for Verkada users. “To limit the damage of the attack, it is important that any organisations using Verkada cameras ensure that all administrator and super administrator accounts have default passwords changed and any fixes from Verkada applied as soon as available,” he said.
“The attack also reinforces the importance of organisations applying security controls around all devices connected to the network as this will limit the chances of intruders gaining remote access to them for nefarious purposes. This sort of device should never be directly connected to the internet.”
Surveillance culture
Perhaps fortunately for customers of Verkada, APT-69420’s representative explained that their motivation was to demonstrate how widespread video surveillance is, and how easily such systems can be broken to reveal information that users may prefer to keep private.
For example, one exposed video, supposedly showed a suspect in police custody being physically restrained, while others revealed the identities of hospital patients, or of people who accessed secure areas of buildings. Other data leaked included inappropriate filenames given to videos saved for posterity by prison officers at an Arizona facility.
In this regard, it would certainly appear that APT-69420 has achieved its aims, as Kyle Walker, cyber security regional manager at A&O IT Group, a managed security services provider (MSSP), pointed out.
“The fact that it was this easy for a hacking group to get into Verkada’s systems is frightening and the hacker group’s intention was to expose these sorts of vulnerabilities in the first place,” said Walker.
“I do not think that people are always aware how exactly we are exposed through surveillance companies like Verkada, we know that there is someone on the other side watching, but what about those that think these feeds are private to the outside world?”
Natalie Page, threat intelligence analyst at MSSP Talion, added: “This attack against such a high-profile organisation, permitting attackers access to highly intrusive surveillance cameras is extremely disturbing.
“Our modern world relies heavily on surveillance, built on billions of cameras which observe our every move. We have essentially created an infrastructure which all adversary classifications across the threat landscape can leverage to achieve their goals,” she said.