[BreachExchange] Security startup Verkada hack exposes 150, 000 security cameras in Tesla factories, jails, and more

Fri Mar 12 10:49:03 EST 2021

https://www.theverge.com/2021/3/9/22322122/verkada-hack-150000-security-cameras-tesla-factory-cloudflare-jails-hospitals

Verkada, a Silicon Valley security startup that provides cloud-based
security camera services, has suffered a major security breach.
Hackers gained access to over 150,000 of the company’s cameras,
including cameras in Tesla factories and warehouses, Cloudflare
offices, Equinox gyms, hospitals, jails, schools, police stations, and
Verkada’s own offices, Bloomberg reports.

According to Tillie Kottmann, one of the members of the international
hacker collective that breached the system, the hack was meant to show
how commonplace the company’s security cameras are and how easily
they’re able to be hacked. In addition to the live feeds, the group
also claimed to have had access to the full video archive of all of
Verkada’s customers.

In a statement to Bloomberg, a Verkada representative commented: “We
have disabled all internal administrator accounts to prevent any
unauthorized access. Our internal security team and external security
firm are investigating the scale and scope of this potential issue.”
Following Bloomberg’s request to Verkada, the group lost access to
both the company’s live feeds and archives.

The hack was apparently relatively simple: the group managed to gain
“Super Admin”-level access to Verkada’s system using a username and
password they found publicly on the internet. From there, they were
able to access the entire company’s network, including root access to
the cameras themselves, which, in turn, allowed the group to access
the internal networks of some of Verkada’s customers.

Verkada prides itself on offering internet-connected security cameras,
promising a Silicon Valley “software-first approach” to make security
“as seamless and modern as the organizations we protect.” The
cloud-connected cameras include a slick, web-based interface for
companies to monitor their feeds and offer (optional) facial
recognition software, too.

The company has also come under fire in the past for accusations of
sexism and discrimination after an incident in 2019 where a sales
director used Verkada’s office security cameras to harass female
co-workers by secretly photographing and posting pictures of them in a
company Slack channel. In response, Verkada’s CEO offered members of
the Slack channel a choice between leaving the company or having their
stock options cut.

The list of clients that use Verkada is broad: in addition to
companies like Tesla and Cloudflare, the group gained access to
Verkada cameras inside Halifax Health, a Florida hospital; Sandy Hook
Elementary School in Newtown, Connecticut; Madison County Jail in
Huntsville, Alabama; and Wadley Regional Medical Center, a hospital in
Texarkana, Texas. In addition to the camera footage, the group also
says that it was able to access the full list of Verkada’s thousands
of customers and its private financial information.