Note: (Updated with a Verkada response)
In yet another jolting reminder of the potential vulnerability of end-point security devices in general and video surveillance cameras in particular, Verkada, a cloud-managed and edge-based software platform that integrates video security cameras, access control solutions and other sensor-rich technology, found itself the victim yesterday of a massive breach of its video network as more than 150,000 surveillance cameras were hacked.
A group of hackers accessed and published live video feeds from the likes of Tesla and Cloudflare, along with videos and images apparently taken from a variety of other Verkada clients, such as offices, warehouses, factories jails, psychiatric wards, banks, and schools. Bloomberg News, which first reported the breach, said footage viewed by a reporter showed staffers at Florida hospital Halifax Health tackling a man and pinning him to a bed. Another video showed a handcuffed man in a police station in Stoughton, Mass., being questioned by officers. Bloomberg also reported that the Verkada data breach was instigated by an international hacker collective that was demonstrating not only its displeasure with the ever-increasing role video surveillance is playing in the lives of global citizens but the substantial vulnerabilities of many end-point video devices.
The Hacker Explains
Swiss hacker Tillie Kottmann, who is a member of the hacker group APT-69420 Arson Cats, told The Associated Press that they were a small collective of “primarily queer hackers, not backed by any nations or capital but instead backed by the desire for fun, being gay and a better world.” Kottmann, who also credits the group with hacking chipmaker Intel Corp. and carmaker Nissan Motor Co., added that the Verkada hack was done with “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism -- and it’s also just too much fun not to do it.”
Kottmann said that the team found legitimate credentials to access the Verkada account online and was able to navigate through live video feeds for two days, accessing tens of thousands of cameras, some of which were streaming sensitive data. In comments, Kottman shared with SecurityInfoWatch, the ease by which they gained penetration of the system should frighten both end-users and security experts alike.
“We found super admin credentials in a python script on a publicly exposed Veracode Jenkins Plugin on the Verkada server, which allowed us to log in to their web app with super admin privileges,” Kottman explains, displaying the actual screenshot of the group’s exploits attached to an email that was sent to SIW. “We did not exploit any flaws or vulnerabilities. The cameras have a built-in maintenance backdoor, which allows anyone with super admin privileges to access a root shell on any camera of any customer at the click of a button.”
Tip of the Iceberg
Chris Roberts, an internal hacker of some infamy himself, understands the motives and the satisfaction of the exploits of hackers like Kottman. While the headlines scream evil hackers, for Roberts, it is a matter of organizations bearing responsibility for their own failings when it comes to cybersecurity and the lack of seriousness applied to it in some cases.
“Yea, not surprising and honestly, this incident should not have rocked them (Verkada). We’ve been talking about the issue for years; we’ve often used surveillance systems as pivots into the corporate environments because we again see where too often the physical and digitals security folks are not talking in an efficient way. The same can be said for the audio/visual folks as well,” chides Roberts. “So, yea, I’m not surprised by this (breach) and I’m sure this is just the tip of the iceberg.”
Rick Holland, Chief Information Security Officer at Digital Shadows and former Forrester Research analyst says that the very same marketing Verkada touts as a selling point could be a potential flaw.
“Verkada positions itself as a "more secure, scalable' alternative to on-premises network video recorders. The Verkada intrusion is an example of the risks associated with outsourcing services to cloud providers. You don't always get more secure when you outsource your security to a third party,” says Holland. “The video leak is likely to result in regulatory investigations from the Department of Health and Human Services (HHS) for HIPAA/HITECH violations because surveillance footage can be considered protected health information. GDPR violations of personal data could have also occurred, and class action lawsuits could also be on the horizon. The intrusion also highlights the need for internal cybersecurity and physical security teams to be integrated or closely aligned. The lines between these two functional areas are blurred as more and more physical security controls make their way to the cloud.”
Hollands adds: “If you look at Verkada's website, and read their security and privacy language, they are saying the ‘right things.’ Verkada's site has all the security and privacy checkboxes. If Verkada's advertised security and privacy controls were implemented, then continuous assessment of the controls should be prioritized to minimize attacks like this in the future.”
However, Holland is worried about what other data the adversaries have access to, if the video data which was undoubtedly the "Crown Jewels" for Verkada, were so easily accessible by Kottman. He, like Roberts, feels the leaked video data could just the tip of the iceberg.
Let’s Go Phishing
Hank Schless, a Senior Manager for Security Solutions at Lookout surmises that if the hackers were able to gain access to Verkada’s infrastructure through the super admin account, it most likely was done through a phishing attack that was made more convincing through social engineering.
“Targeted phishing attacks are known as spearphishing attacks. Malicious actors will oftentimes use publicly available information in places such as social media profiles to build a convincing campaign targeting an individual. Spearphishing attacks are particularly effective on mobile devices where an attacker can phish the individual over voice (vishing), SMS (smishing), and other personal channels outside the controls of traditional perimeter-based security tools. In both of these situations, an attacker can socially engineer their way into convincing the target to share login credentials with them,” Schless says. “Attackers have also been known to target lower-level employees and phish their credentials, only to move laterally through the infrastructure once they have access. If the organization doesn’t have certain protections in place in their infrastructure, the attacker could escalate their own privileges in order to gain admin access.”There are some cybersecurity experts like Ray Espinoza, the CISO at pentest-as-a-service leader Cobalt, who feel this type of security breach could have likely been prevented, sharing that the attack on Verkada’s surveillance camera network is another example of how easily cybercriminals can infiltrate networks, how much damage they can do with the smallest loophole or bit of information. He says that if it was indeed the super admin account, there are several explanations for the vulnerability including phishing, weak passwords, or a default left on across multiple devices. He insists that proactive measures like regular pentesting, red teaming, or compromise assessments likely could have caught these network vulnerabilities ahead of time.
“Video surveillance cameras are like any other networked device. They can and should be assessed through traditional means to identify misconfigurations and vulnerabilities through penetration testing and regular vulnerability scans. Many times, manufacturers will provide guidance on how to harden the devices or how they should be deployed to prevent misuse. Teams that purchase this equipment should take the same care in deploying these devices as they would critical infrastructure within their environment,” Espinoza continues.
Proactive measures like regular pentesting, red teaming, or compromise assessments likely could have caught these network vulnerabilities ahead of time. Putting a comprehensive vulnerability management program in place ASAP is the optimal measure you can take to ensure you’re catching security vulnerabilities before they turn into data breaches like this one. This hack exemplifies just how broadly we’re being surveilled and is a warning to us all that prioritizing security processes and technology is of the utmost importance.”
According to Patrick Hunter, the Sales Engineering Director, EMEA at One Identity, the fact that the Verkada solution is a third-party cloud solution could be among the weaknesses to be considered.
“In the case of Verkada, they are holding data that has the most public shock factor, video surveillance. What did Verkada do wrong? They allegedly didn’t have control over the one account they needed to. It is possible that the account wasn’t monitored, and that the password wasn’t regularly changed on a rotation basis, but the biggest error was underestimating the power of one single account to undo their business and grant access to everyone’s data,” concludes Hunter. “At the very least, there should have been some form of multi-factor authentication or password vault to protect the account. Whenever an admin accessed it, they would have to prove that they were who they said they were, which is a simple, cheap, and effective first line of defense.”
The Final Word
As for Kottman, the attack approach by their group was not so much to heighten awareness of cyber and network vulnerabilities as it was to thumb its collective noses at the system itself.
“I also just want to clarify that I am not a white hat; that I hate the corporate infosec industry and I wish more people would actually work on improving the world instead of protecting corporate interests and doing funny bug-bounties for Raytheon or whatever y'all do these days. Hack the planet,” Kottman encourages those of their ilk to do. “I generally dislike any kind of surveillance, but if you want to do it please do not use a centralized cloud platform of some VC-funded startup that has more sales employees than customers and cares about nothing other than profit.”
In a statement released today by Verkada CEO Filip Kaliszan to the company's customers, he said: "Yesterday, we contacted you after learning that Verkada’s system was accessed by attackers. We want to share an update on the security of our system, the status of our investigation, and the steps we are taking to ensure the protection of our system and our customers.
First, we have identified the attack vector used in this incident, and we are confident that all customer systems were secured as of approximately noon PST on March 9, 2021. If you are a Verkada customer, no action is required on your part.
The attack targeted a Jenkins server used by our support team to perform bulk maintenance operations on customer cameras, such as adjusting camera image settings upon customer request. We believe the attackers gained access to this server on March 7, 2021 and maintained access until approximately noon PST on March 9, 2021. In gaining access to the server, the attackers obtained credentials that allowed them to bypass our authorization system, including two-factor authentication.
We are continuing to investigate the incident, and we are contacting all affected customers. At this point, we have confirmed that the attackers obtained the following:
- Video and image data from a limited number of cameras from a subset of client organizations
- A list of our client account administrators, including names and email addresses. This list did not include passwords or password hashes.
- A list of Verkada sales orders. Sales order information is used by our Command system to maintain the license state of our customers. This information was obtained from our Command system and not from other Verkada business systems.
At this time, we have no evidence that the breach compromised the following:
- User passwords or password hashes
- Verkada’s internal network, financial systems, or other business systems
We can also confirm that the attackers gained access to a tool that allowed the execution of shell commands on a subset of customer cameras; however, we have no evidence at this time that this access was used maliciously against our customers’ networks. All shell commands issued through our internal tool were logged.
In addition to our internal response team, we have retained two external firms, Mandiant Solutions and Perkins Coie, to conduct a thorough review of the root cause of this attack and support our efforts to ensure internal security. We also notified the FBI, who are assisting us in this investigation."
About the author: Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist.