In the latest embarrassing hacking incident to affect American technology giants, a team of hackers has stolen what Bloomberg described as a "massive trove of security-camera data collected by Silicon Valley startup Verkada" in an effort to make a point about the dangers and drawbacks of mass surveillance.
Using administrator credentials purportedly found on the public Internet, the hackers gained access to live feeds tied to some 150K security cameras located inside hospitals, companies, police departments, prisons, schools and - bizarrely - Tesla HQ. According to the report, footage belonging to Tesla and software company Cloudflare were stolen in the hack. The hackers were also able to steal footage taken from inside women's health clinics, psychiatric hospitals, along with footage from inside Verkada's offices.
The cameras administered by Verkada, which bills itself as an "enterprise security camera" maker, use facial-recognition technology to identify people. And the hackers who stole the trove of data say they have access to "the full video archive" of Verkada's customers. In theory, this could give the hackers a panopticon-like view of hundreds of thousands - perhaps millions - of people.
The group behind the breach bills itself as an "international hacker collective" and said it stole the footage to help make a point about the dangers and pervasiveness of video surveillance. Perhaps to help emphasize this point, the group shared some particularly sensitive footage with Bloomberg, including...
Footage captured inside Florida hospital Halifax Health, which showed what appeared to be eight hospital staffers tackling a man and pinning him to a bed. Halifax Health is featured on Verkada’s website in a case study entitled: "How a Florida Healthcare Provider Easily Updated and Deployed a Scalable HIPAA Compliant Security System."
Video shot inside a Tesla warehouse in Shanghai showing workers on an assembly line. The hackers said they obtained access to 222 cameras in Tesla factories and warehouses.
A video showing officers inside a police station in Stoughton, Mass., questioning a man in handcuffs.
Security camera footage taken from inside Sandy Hook Elementary School in Newtown, Conn., where gunman Adam Lanza killed more than 20 people in 2012.
Also available to the hackers were 330 security cameras inside the Madison County Jail in Huntsville, Alabama.
And cameras from multiple locations of the luxury gym chain Equinox.
Hackers were able to download the entire list of thousands of Verkada customers, as well as the company’s balance sheet, which lists assets and liabilities. As a closely held company, Verkada does not publish its financial statements.
Tillie Kottmann, one of the hackers who claimed credit for breaching the San Mateo, California-based Verkada, is acting as a sort of representative for the collective. Kottmann, who uses they/them pronouns, previously claimed credit for hacking chipmaker Intel and carmaker Nissan They reportedly told Bloomberg their reasons for the hack were "lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism - and it’s also just too much fun not to do it."
Kottmann said the hackers were able to obtain "root” access to the cameras, meaning they could use the cameras to execute their own code. In some instances, this allowed them to pivot and obtain access to the broader corporate network of Verkada’s customers, or hijack the cameras and use them as a platform to launch future hacks. Obtaining this degree of access to the camera didn’t require any additional hacking, as this is a built-in feature. The hackers’ methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet.
A rep for Verkada said the company had disabled all internal administrator controls to prevent any further unauthorized access. The individual added that "Our internal security team and external security firm are investigating the scale and scope of this potential issue."
Another source from inside Verkada told Bloomberg that the company's chief information security officer, an internal team and an external security firm are investigating the incident. The company is working to notify customers and set up a support line to address questions, said the person, who requested anonymity to discuss an ongoing investigation. This facial-recognition technology is used to track staff and inmates inside prisons in the US, with many of the cameras responsible for this being hidden inside vents and other places.
Verkada offers its clients a feature called "People Analytics" which allows a customer to "search and filter based on many different attributes, including gender traits, clothing color, and even a person’s face," according to a Verkada blog post. While hardly a household name, in October 2020, Verkada attracted some press attention after it fired three employees who reportedly used its cameras to take pictures of female colleagues inside the Verkada office and make sexually explicit jokes about them. Verkada CEO Filip Kaliszan said in a statement to Vice at the time that the company had "terminated the three individuals who instigated this incident, engaged in egregious behavior targeting coworkers, or neglected to report the behavior despite their obligations as managers."
This is just the latest hack-related news to rattle the US, as the business press has been intensely covering another breach where hackers working for the Chinese government managed to exploit flaws in Microsoft's outlook email software to gain access to potentially thousands of high-value targets.