An international group of hackers breached the security system of California startup Verkada on Monday. The group gained access to the full video archive of all Verkada customers, as well as the live feeds of 150,000 surveillance cameras that are used by companies, police departments, hospitals, jails and schools, according to Bloomberg.
Firms affected by the breach include automaker Tesla, software provider Cloudflare Inc. and Verkada itself. Some of the cameras use facial recognition technology to identify and categorize people captured on the footage.
A collective called "Advanced Persistent Threat 69420" claimed credit for the breach and said that their intention was to expose how pervasive video surveillance has become and how easily security systems can be broken into.
The extent of the breach
According to Swiss hacker and group member Tillie Kottmann, the group broke into Verkada's "super" administrator account using valid credentials that they found on the internet. For two days, the hackers had access to the live feeds of hundreds of thousands of Verkada cameras.
Among those cameras are installed in Tesla factories and warehouses, as well as in Cloudflare offices in San Francisco, Austin, London and New York. The cameras at Cloudflare's San Francisco office are equipped with a facial recognition feature, though the firm said that it doesn't actively use it. (Related: Surveillance state: 1 in 2 American adults is already in the FBI's facial recognition database.)
The hackers also broke into video surveillance systems in Wadley Regional Medical Center in Texarkana in Texas. Meanwhile, the group accessed not only Verkada cameras inside Tempe St. Luke's Hospital in Arizona but also detailed records of who used Verkada access control cards to open certain doors and when they did so.
The collective also peered into multiple locations of the luxury gym chain Equinox, as well as Sandy Hook Elementary School in Connecticut, where a gunman killed over 20 children in 2012.
Also available to the hackers were 330 security cameras inside the Madison County Jail in Huntsville, Alabama. All devices were equipped with facial-recognition technology and some were hidden inside vents, thermostats and defibrillators. The hackers bared that on top of live feeds, they were able to access archived video and audio of interviews between police officers and criminal suspects.
A leaked clip, shot using a camera inside a police station in Stoughton in Wisconsin, opened to a view of police officers who were questioning a man in handcuffs. Another footage, taken using a camera inside Florida hospital Halifax Health, showed what looked like hospital staffers pinning a man to a bed.
The collective was also able to download the entire list of thousands of Verkada customers, as well as the firm's balance sheet.
Kottmann said that they managed to gain "root" access to Verkada cameras, which they could use to pivot and break into the broader corporate network of the firm's customers. Moreover, the access could allow the hackers to hijack the cameras and use them as a platform to launch future hacks. (Related: Digital prepping: How to keep your personal data safe.)
Breach serves as a lesson on surveillance
According to Kottmann, the breach "exposes just how broadly we’re being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit."
Kottmann previously took credit for hacking chipmaker Intel Corp. and carmaker Nissan Motor Co. In an online chat with the Associated Press this week, Kottmann described their group as a small collective of mainly "queer" hackers who are not backed by any nation or private firm.
Kottmann said that the collective's reasons for hacking are "lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism – and it's also just too much fun not to do it."
The collective no longer had access to Verkada data and cameras.
"We have disabled all internal administrator accounts to prevent any unauthorized access," a Verkada spokesperson said in a statement. "Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement."
A person with knowledge of the incident said that the company is also working to notify clients and create a support line to address questions.
Founded in 2016, Verkada sells security cameras that clients can access and manage through the web. Last year, the firm fired three employees who used its cameras to take pictures of female colleagues inside the Verkada office.
Learn more about past cyberattacks at Glitch.news.
Sources include:
Please contact us for more information.