Bloomberg has reported that a group of hackers have breached a database containing security camera feeds collected by Verkada Inc., a Silicon Valley startup. The database includes live feeds of 150,000 surveillance cameras inside hospitals, organizations, police departments, prisons and schools.
According to Bloomberg, Tesla Inc. and software provider Cloudflare Inc. were exposed in the breach. Hackers say they were able to access video feeds from women's health clinics, psychiatric hospitals and the offices of Verkada, as well as access to some of the cameras using facial recognition technology. Bloomberg obtained video records, confirming the breach.
Bloomberg reports the breach was carried out by a hacker with the goal of demonstrating the "pervasiveness of video surveillance and the ease with which systems could be broken into." One of the hackers claiming credit for this breach include Tillie Kottmann, who has reportedly hacked Intel Corp. and Nissan Motor Co.
In a statement, a Verkada spokesperson said they had disabled all internal administrator accounts to prevent any further unauthorized access. “Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.” The company is said to be working to provide a data breach notification to all customers and support line.
Rick Holland, Chief Information Security Officer at Digital Shadows and former Forrester Research analyst, says, “Verkada positions itself as a "more secure, scalable' alternative to on-premises network video recorders. The Verkada intrusion is an example of the risks associated with outsourcing services to cloud providers. You don't always get more secure when you outsource your security to a third party."
According to Holland, "the video leak is likely to result in regulatory investigations from the Department of Health and Human Services (HHS) for HIPAA/HITECH violations because surveillance footage can be considered protected health information. GDPR violations of personal data could have also occurred, and class action lawsuits could also be on the horizon. The intrusion also highlights the need for internal cybersecurity and physical security teams to be integrated or closely aligned. The lines between these two functional areas are blurred as more and more physical security controls make their way to the cloud.”
Setu Kulkarni, Vice President, Strategy at WhiteHat Security, a San Jose, Calif.-based provider of application security, explains, “If one conceptualizes the security requirements of an organization around the “digital chain of custody” – securing all elements of the digital chain of security is critical – Data, Infrastructure, Device, Endpoint, Application and Identity. Each one of those elements presents potential gateways to a breach. This breach is illustrative of how multiple simple gaps across multiple elements of the “digital chain of custody” can be combined to orchestrate a significant breach. In this case, the fact that the super-admin account information was freely available and the fact that missing security controls on the device are considered “by-design”, point to how a combination of security gaps across the “digital chain of custody” resulted in such a significant breach.”
According to Ray Espinoza, CISO at pentest-as-a-service provider Cobalt, this type of security breach could have likely been prevented. Espinoza says, "The attack is another example of how easily cyber criminals can infiltrate networks, how much damage they can do with the smallest loophole or bit of information. If the claims are correct, Verkada’s super admin account could have been phished, could have had a weak password, or could have been left on default across multiple devices. Proactive measures like regular pentesting, red teaming, or compromise assessments likely could have caught these network vulnerabilities ahead of time."
Jeff Horne, CSO at Ordr, a connect and unmanaged device cybersecurity company, explains that while the Verkada website bolsters that they have a “Secure by Default” methodology, "it is clear that while we create devices with security-in-mind, what humans create, typically has flaws. Security is not one dimensional and while organizations might point to the faults in Verkada’s practices, the ownness is not solely on the supplier or manufacture – although this point can be argued at length."
Organizations must look at the rapid growth of connected devices (ie. digital transformation), says Horne, as an opportunity to start maintaining a continuous and accurate inventory, a true understanding of how those devices communicate, automate alerts based on any device or group of devices that act outside of a set baseline, and automate proper segmentation of devices as to not let lateral movement inside your network via the device(s), and always make sure that admin maintenance accounts are secured properly. "Since the video system data can contain personally identifiable information (PII), company confidential information, and personal health information (PHI), it is important that our security community band together to help Verkada, the impacted organizations, and the individuals whose privacy was exploited."
Elisa Costante, VP of Research, Forescout, says, “Connected cameras are supposed to provide an additional layer of security to [organizations] that install them. Yet, as the shocking Verkada security camera breach has shown, the exact opposite is often true. Worryingly, the attack wasn't even very sophisticated and didn't involve exploiting a known or unknown vulnerability. The bad actors simply used valid credentials to access the data stored on a cloud server."
Constante adds, "In this case, the bad actors have seemingly only resorted to viewing the footage these cameras have captured. But they are likely able to cause a lot more damage if they choose to do so, as our own research team has discovered. We were able to intercept, record and replace real-time footage from smart cameras by exploiting unencrypted video streaming protocols and performing a man-in-the-middle attack. This effectively gives criminals a virtual invisibility cloak to physically access premises and wreak havoc in the real world. In fact, based on our own research, the Verkada cameras are in widespread use within government and healthcare, leaving those [organizations] particularly vulnerable to these kinds of attacks. The only way for [organizations] to adequately protect themselves is to ensure they have a comprehensive device visibility and control platform in place."
This latest breach should be a reminder that a compromised privileged account can lead to access to extremely sensitive devices when it is not protected with privileged access best practices, notes Joseph Carson, Chief Security Scientist at Thycotic. "Questions should be raised on whether a single user account should have that much privileged access to so many security cameras. When I was a System Administrator, we practiced separation of duties meaning that my accounts had limited access and for me to gain access to other systems I had to go through a security control before that would be permitted. This latest security breach is a stark reminder on the importance of the Principle of Least Privilege and why a single privileged account should be controlled with more verifications and requirements."