Posted on March 10, 2021 at 12:02 PM
A security startup based in Silicon Valley, Verkada, recently suffered a major security breach that affected several organizations, including car maker Tesla.
Verkada provides cloud-based security camera services for companies. According to the report, the hackers had access to more than 150,000 of the firm’s cameras, including those installed in Tesla warehouses and factories as well as other companies. Some of the exposed cameras are also used in police stations, schools, jails, hospitals, gyms, and Cloudflare offices.
Tillie Kottmann, one of the hacker groups responsible for the breach, has given a reason for the hacking incident. The group stated that the hack was to prove how easy it is to breach the company’s security cameras.
The group also had access to the company’s live feed. The group also stated that it has complete access to the video archive of all of the company’s customers.
Verkada has commented on the breach and informed the public that it has blocked all internal administrator accounts to keep them safe from unauthorized access.
A company representative stated that investigation about the breach is already ongoing to know the extent of the breach and find a potential issue. The group has also been denied access to the company’s archives and live feeds.
222 Tesla cameras affected
Apart from software provider Clooudflare Inc and Tesla Inc, there were other companies whose footage was exposed. The hackers had access to video from offices of Verkada, psychiatric hospitals, as well as inside women’s health clinics.
One of the videos showed inside Florida hospital Halifax Health where 8 hospital staffers were pinning a man down to a bed.
Another video obtained from the Tesla warehouse in Shanghai shows workers on an assembly line. The hackers revealed that it accessed about 222 cameras in Tesla warehouses and factories.
Kottmann, who has previously claimed credit for hacking carmaker Nissan Motor Co. and chipmaker Intel Group, stated that the group is all about a huge dose of anti-capitalism, fighting against intellectual property, as well as fighting for the freedom of information. The group also added that the curiosity and fun of successfully hacking an adjudged highly secured system are what motivates the group.
In another video shows police officers in a police station in Massachusetts interrogating a man in handcuffs. The hacking group also revealed it hacked the Sandy Hook Elementary School in Newtown, a place that witnessed a horrific incident in 2012 where 20 people were killed by a gunman.
Hackers obtained root access to the cameras
The hackers also had access to 330 security cameras installed in the Madison County jail in Alabama. Verkada uses facial recognition technology on its cameras to track movements and people inside the organizations its cameras are installed.
Images from the breached cameras show that the hackers used facial recognition technology in the camera to track correctional staff and inmates.
The hacking group also revealed that they succeeded in obtaining “root” access to the cameras. This means they can execute their code using the cameras. With such access, it could allow the hackers to infiltrate a larger corporate network of Verkada’s customers. They could also take control of the cameras and use them for future attacks. Kottmann said the group didn’t require additional hacking to get such a level of access to the camera since it was in-built in the camera.
Hackers used unsophisticated methods
The seemingly soft hacking strategy used by the hackers goes to show just how vulnerable connected cameras and other IoTs can be.
The hackers gained access to Verkada via a “Super Admin” account. According to Kottmann, an administrator’s username and password were publicly exposed on the internet. The hacking group said that was how they gained access to the Verkada system.
Verkada was set up in 2016 solely as a company that offers security cameras to organizations and helps them manage those cameras via web access. Earlier last year, the firm raised $80 million through fundraising led by Sequoia Capital, the oldest firm in Silicon Valley.
Verkada is valued at $1.6 billion. It’s not clear how the recent hacking incident will affect Verkada’s relationship with its customers. Tesla and other organizations affected by the breach didn’t respond immediately to questions from the press. Others declined to make comments.