A massive trove of security-camera data under the surveillance of Silicon Valley startup Verkada Inc., was recently breached by a group of hackers who saw videos from inside women’s health clinics, psychiatric hospitals, police departments, prisons and offices of Verkada itself. The scope of the hack appears massive which was from the Live feeds of 150,000 surveillance cameras.
The hackers say they have access to the full video archive of all Verkada customers, especially carmaker Tesla Inc. and software provider Cloudflare Inc.
Tillie Kottmann, who is assumed to be the leader, has said that the ‘breach’ was intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into. One of the reasons he gave for breaking into the security cameras of Verkada is to fight for the freedom of information and against intellectual property.
In response to the attack, a spokesperson for Verkada said they have disabled all internal administrator accounts to prevent any unauthorized access. According to the spokesperson, the Silicon Valley startup’s internal security team and external security firm are investigating the scale and scope of this issue, and have notified law enforcement.
“This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised,” San Francisco-based Cloudflare said in a statement. “The cameras were located in a handful of offices that have been officially closed for several months.” The company said it disabled the cameras and disconnected them from office networks.
Representatives of Tesla and other companies identified in this story didn’t immediately respond to requests for comment. Representatives of the jails, hospitals and schools named in this article either declined to comment or didn’t immediately respond to requests for comment.
The hackers say they were able to access live feeds and archived video, in some cases including audio, of the following information;
- Officers in a police station in Stoughton, Massachusetts, questioning a man in handcuffs.
- Florida hospital Halifax Health: Eight-hospital staffers tackling a man and pinning him to a bed.
- Tesla warehouse in Shanghai: Workers on an assembly line. The hackers said they obtained access to 222 cameras in Tesla factories and warehouses.
- Sandy Hook Elementary School in Newtown, Connecticut, where a gunman killed more than 20 people in 2012.
- 330 security cameras inside the Madison County Jail in Huntsville, Alabama.
- Interviews between police officers and criminal suspects, all in the high-definition resolution known as 4K.
Kottmann said their group was able to obtain “root” access on the cameras, meaning they could use the cameras to execute their code. That access could, in some instances, allow them to pivot and obtain access to the broader corporate network of Verkada’s customers, or hijack the cameras and use them as a platform to launch future hacks. Obtaining this degree of access to the camera didn’t require any additional hacking, as it was a built-in feature, Kottmann said.
The hackers’ used simple methods to gain access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet.
Kottmann has concluded that the hack confirmed just how careless Verkada has been, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit. “It’s just wild how I can just see the things we always knew are happening, but we never got to see,” Kottman said.
For the Records…
Verkada, founded in 2016, sells security cameras that customers can access and manage through the web. In January 2020, it raised $80 million in venture capital funding, valuing the company at $1.6 billion. Among the investors was Sequoia Capital, one of Silicon Valley’s oldest firms.
