skout-blog

Cybersecurity Threat Advisory 0014-21: Numerous IOT Cameras Hacked

Threat Update

Verkada Inc, an organization providing IOT security cameras to public and private organizations across the globe, has reportedly had its camera systems compromised. Attackers claim to have breached the organization and accessed both live and archived camera feeds of over 150,000 cameras, including ones in hospitals, police stations, and schools. This breach does not appear to be ongoing and may have been caused by a simple administrator account having publicly compromised credentials. After Verkada was notified that this may be the point of entry, the breach was closed.

Technical Detail & Additional Information

WHAT IS THE THREAT?

Technology startup Verkada Inc. has been the victim of a data breach, according to a group of hackers. Verkada is an organization focused on cloud security and sells cameras to enterprises on the idea that cloud based physical security is both easy to configure and secure. This breach has exposed the live and archived feeds of over 150,000 security cameras from all manner of organizations such as hospitals, schools, police departments, and even the Verkada offices themselves. While the exact vector of the compromise has not yet been confirmed, sources from the alleged group behind the compromise claim that the login information for an administrator account was found publicly exposed on the internet. From there it was easy to pivot to gain access to the broader array of cameras and corporate information. While this attack vector is not as of yet confirmed, when Verkada was notified of a potentially compromised administrator account, the breach was closed.

WHY IS IT NOTEWORTHY?

With the constant drive to bolster security while maintaining simplicity, there comes a point where that cross-section might come at the risk of making devices too interconnected with insufficient security measures. With a simple (alleged) mistake of a single administrator account compromise of the parent company, numerous public and private organizations had sensitive data exposed to the world. Attackers could see the goings on of hospital rooms, prisons, schools and even private organizations such as Cloudflare and Tesla. In a further Orwellian fashion, Verkada also offers a feature called “People Analytics” which allows a user to search for particular traits of persons visible to its cameras, including clothing color, gender traits, and even that person’s face. Such features provide a startling amount of people tracking capability should these cameras be accessed by unauthorized persons.

WHAT IS THE EXPOSURE OR RISK?

The compromise of Verkada is ultimately a compromise of a sizable portion of their customer base, which is not completely unlike the compromise of an MSSP/MSP. With Verkada compromised upstream the confidential data (camera live feeds and recordings) of their customers have been put at risk. A huge amount of data that no person outside of the organization should have. Some of the compromised video archives included highly personal and protected situations, such as interviews between police officers and possible suspects. While the information that was made available by this compromise is not conventionally damaging to any of the compromised organizations, the daily functions of these organizations were laid bare to the prying eyes of the attackers. Cameras had visibility into highly secure areas and could allow a particularly motivated attacker to escalate further with new information gained into the daily operations or security of these organizations by viewing them undetected.

WHAT ARE THE RECOMMENDATIONS?

While the exact nature of the compromise is unconfirmed, circumstantial evidence potentially indicates that what the alleged attackers say is true, and that an administrator account may have simply had exposed credentials online. In this and similar cases, it is important to audit the permissions and usage of administrator accounts regularly to ensure that there are no accounts un-accounted for and that users only have the amount of access they require for their immediate roles and responsibilities.

References:

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.