By Gregory Hale
In light of the breach exposing Verkada Inc. security camera footage at Tesla as well as hospitals, schools, and other organizations totalling 150,000 live camera feeds, security experts said this was an incident just waiting to happen.

In the incident, a group of hackers breached security-camera data collected by San Mateo, California-based startup Verkada, gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools, according to a Bloomberg report.

Companies whose footage was exposed include carmaker Tesla Inc. and software provider Cloudflare Inc. In addition, hackers were able to view video from inside women’s health clinics, psychiatric hospitals and the offices of Verkada itself.

RELATED STORIES

Some of the cameras, including in hospitals, use facial-recognition technology to identify and categorize people captured on the footage. The hackers said they also have access to the full video archive of all Verkada customers, according to the Bloomberg report.

“While this issue exposed an admin/password on the web which happened to be a super-user, connected security cameras have been a target for hackers for some time, and it’s unfortunate to see vulnerabilities still exist with some manufacturers,” said Mike Nelson, vice president of IoT security at DigiCert. “Adding security to devices already in the field is much more challenging than planning for security during design and development of a product. Though we have seen progress when it comes to addressing cybersecurity for connected systems, there is still much work that needs to be done to raise awareness and promote best practices with the manufacturers building the devices, and also with consumers and businesses that are buying these devices.”

International Hacker Collective
The data breach was carried out by an international hacker collective and intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into, said Tillie Kottmann, one of the hackers who claimed credit for breaching Verkada in the Bloomberg report. Kottmann, who uses they/them pronouns, claimed credit for hacking chipmaker Intel Corp. and carmaker Nissan Motor Co. Kottmann said their reasons for hacking are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”

“There have been so many published attacks in the past decade which undermined weak authentication, that no company should secure an account with such high privileges with a username and password,” said Dean Coclin, senior director of business development at DigiCert. “There are several lessons to be learned:

“1. Accounts that can disclose personal information must have two-factor authentication, at a minimum. Preferably, this second factor should be a digital certificate.

“2. Allowing one account with uber access should not be allowed. Segmented access across several accounts would help limit the attack surface.”

Verkada disabled all internal administrator accounts to prevent any unauthorized access, a company spokesperson said.

“This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised,” San Francisco-based Cloudflare said in a statement. “The cameras were located in a handful of offices that have been officially closed for several months.” The company said it disabled the cameras and disconnected them from office networks.

Limited Visibility
Tesla said, “based on our current understanding, the cameras being hacked are only installed in one of our suppliers, and the product is not being used by our Shanghai factory, or any of our Tesla stores or services centers. Our data collected from Shanghai factories and other places mentioned are stored on local servers.”

Verkada, founded in 2016, sells security cameras that customers can access and manage through the web. In January 2020, it raised $80 million in venture capital funding, valuing the company at $1.6 billion.

In a September report, Jeremy Kimber, director video offering management at Honeywell talked about the growing importance to strengthen security on video systems.

“There are reports that potentially up to 15 percent of cyber breaches are caused by breaches of the physical security system,” Kimber said. “So, cybersecurity of the physical access control and video systems is increasingly critical. The last thing you want to do as an end user or as an installer is get caught with the type of cost that are starting to come through with cyber breaches.”

In May, in another report, a researcher said there were “systemic design flaws” in Internet-connected doorbell and security cameras that allows a shared account that appears to have been removed to actually remain in place with continued access to the video feed.

Exploiting Flaw
The mechanism for removing user accounts does not work as intended on many camera systems because it does not remove active user accounts, said Florida Institute of Technology computer science student Blake Janes. This could allow potential “malicious actors” to exploit the flaw to retain access to the camera system indefinitely, covertly recording audio and video in a substantial invasion of privacy or instances of electronic stalking.

Janes’ work informed vendors about the vulnerabilities and offered several strategies to remediate the underlying problem.

In recognizing the importance of the work, Google awarded Janes a $3,133 “bug bounty” for identifying a flaw in the Nest series of devices. Other vendors, including Samsung, have been communicating with Janes about recommended solutions to fix the vulnerability.