A “hacktivist” breached a massive trove of security-camera data collected by Silicon Valley startup Verkada, gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools.
Bloomberg reports the breach was carried out by a hacker with the goal of demonstrating the “pervasiveness of video surveillance and the ease with which systems could be broken into.” One of the hackers claiming credit for this breach include Tillie Kottmann, who has reportedly hacked Intel Corp. and Nissan Motor Co.
The group, who call themselves Advanced Persistent Threat 69420, stumbled across log-in credentials for Verkada’s “Super Admin” accounts online. They publicized their findings, saying they were motivated by “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”
Now, anonymous Verkada employees say the iddentical “Super Admin” accounts that the hackers accessed were also widely shared in the company itself. Employees of cloud-based surveillance firm Verkada had widespread access to feeds from customers’ cameras, according to new reports from Bloomberg and The Washington Post.
Cameras that were breached
Companies whose footage was exposed include Tesla and software provider Cloudflare, women’s health clinics, psychiatric hospitals and the offices of Verkada itself. Some of the cameras, including in hospitals, use facial-recognition technology to identify and categorize people captured on the footage.
In a video seen by Bloomberg, a Verkada camera inside Florida hospital Halifax Health showed what appeared to be eight hospital staffers tackling a man and pinning him to a bed. Halifax Health is featured on Verkada’s public-facing website in a case study entitled: “How a Florida Healthcare Provider Easily Updated and Deployed a Scalable HIPAA Compliant Security System.” A spokesman for Halifax confirmed Wednesday that it uses Verkada cameras but added that “we believe the scope of the situation is limited.”
The hackers say they also gained access to the security cameras of Sandy Hook Elementary School in Newtown, Connecticut; 330 security cameras inside the Madison County Jail in Huntsville, Alabama; cameras at Tempe St. Luke’s Hospital, in Arizona.
The hackers also obtained access to Verkada cameras in Cloudflare offices in San Francisco, Austin, London and New York. The cameras at Cloudflare’s headquarters rely on facial recognition, according to images seen by Bloomberg.
SUPER ADMIN ACCOUNTS GAVE HACKERS AND EMPLOYEES ACCESS TO OVER 100000 CAMERAS
More than 100 employees had Super Admin permissions, reports Bloomberg, meaning that these individuals could browse the live feeds from tens of thousands of cameras around the world at any time. “We literally had 20-year-old interns that had access to over 100,000 cameras and could view all of their feeds globally,” one former senior-level employee told the publication.
Verkada, meanwhile, says access was limited to persons who needed to fix technical problems or address user complaints. “Verkada’s training program and policies for workers are both clear that support staff members were and are required to secure a customer’s explicit permission before accessing that customer’s video feed,” said the Silicon Valley firm in a statement given to Bloomberg.
The Washington Post, cites the testimony of surveillance researcher Charles Rollet, who says individuals with close knowledge of the company told him that Verkada employees could access feeds without customers’ knowledge. “People don’t realize what happens on the back-end, and they assume that there are always these super-formal processes when it comes to accessing footage, and that the company will always need to give explicit consent,” said Rollet. But clearly that’s not always the case.”
Their cloud-based systems that gave customers’ easy access to their camera’s feeds also enabled the breach. A person with knowledge of the matter said Verkada’s chief information security officer, an internal team and an external security firm are investigating the incident.