A group of hackers have breached a massive trove of security camera data collected by Silicon Valley start-up Verkada, gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons, and schools.
Companies whose footage was exposed include carmaker Tesla and software provider Cloudflare. In addition, hackers were able to view video from inside women’s health clinics, psychiatric hospitals, and the offices of Verkada itself. Some of the cameras, including in hospitals, use facial-recognition technology to identify and categorise people captured on the footage. The hackers say they also have access to the full video archive of all Verkada customers.
Below is commentary from a few leading cybersecurity vendors:
Lotem Finkelsteen, Director of Threat Intelligence, Check Point
The Verkada hack is another example of a supply chain attack where a single point of failure at the vendor’s network impacts its customers and offering an unlimited access to customers’ data.
Supply chain attacks come in different forms, but always expose the weakest links. To gain a strong security posture, companies also need to make sure their vendors also secure their assets properly, so such cases will not replicate themselves.
John Shier, Senior Security Advisor, Sophos
While the details of the alleged intrusion into Verkada are still unclear, one thing is clear, supply chain integrity is everyone’s responsibility, and no organisation is too small to be impacted. Cloud service providers need to ensure that access to private data is limited and strictly controlled.
Consumers of the services must have access to the data and understand how the data will be transmitted and stored, how much data will be collected, how it will be used, and who else has access to it. Multi-factor authentication and detailed monitoring must be enabled to prevent and detect even accidental access, let alone criminal abuse. The victims in this breach range from small public institutions to large multi-national corporations, all of whom are custodians of sensitive information, from corporate secrets to private data belonging to their employees and the people they serve.
Sam Curry, Chief Security Officer, Cybereason
The reports of the hacktivist breach of more than 150,000 surveillance cameras used inside Tesla’s warehouses, police stations, jails and hospitals around the world is a reminder that even though recent nation state cyberattacks on SolarWinds and Microsoft Exchange Servers are garnering headlines, hacktivist groups are still players in the global cyber ecosystem.
This is not a one-time breach as this international group of hacktivists have claimed responsibility for other breaches in the past. It makes no difference if the motives of any threat actor are social, political, or financial in nature, when crimes are committed, and laws broken. It is also a reminder how vast the threat landscape is.
This breach appears to have been preventable if the administrator’s username and password were not exposed on the Internet. Preventive medicine starts when user credentials are frequently updated, and security awareness training is regularly offered. Today, there are more than 1 billion surveillance cameras in use around the world and security is an afterthought in many of them, resulting in spying and unlawful monitoring of unsuspecting victims.
Morey Haber, CTO and CISO, BeyondTrust
If you are an IoT vendor you have some fundamental responsibilities to protect your company, infrastructure, and the security and privacy of your clients. You would want to architect and deploy a solution that in no way, ever, a single credential could be used to jeopardise the trust and well-being of your clients and solution. With that in mind you would want these basic security controls:
- Segregation of access to the IoT devices you service
- Two factor authentication enabled for all clients
- Multi-factor authentication, MFA, enabled for all employees, vendors, and contracts
- Restricted access to all sensitive accounts from only approved zones
- Privileged access management to rotate, manage, secure, and provide certification for all administrative accounts
- An established workflow to allow access to the most sensitive accounts
Well, unfortunately for the Verkada IoT Camera Services, none of these security practices were enabled. Verkada announced a breach that allowed a threat actor to view unrestricted live camera feeds from thousands of cameras including some from very sensitive environments. The breach also allowed a threat actor to login to critical systems via a single factor username and password for a company administrator found exposed on the Internet. Lastly, threat actor could also circumvent credentials for individual client IoT camera feeds. The technique used is not known but it could have been an administrative backdoor or password reset.
While this is another breach added to the list of security incidents in 2021, all companies should take notice, especially those providing IoT services via the web. They should perform proper segmentation, but most importantly learn about the benefits of and implement secure administrative accounts using a privileged access management solution.
Ammar Enaya, Regional Director – Middle East, Turkey, North Africa, Vectra AI
Organisations have to start thinking of cyber breaches as inevitable, not extraordinary. Cybersecurity thinking today is evolving. We see less preoccupation with endpoint defence, which fails regularly, and more emphasis on fast detection of enemy malware inside the perimeter, followed by rapid neutralisation and recovery. But we have to evolve faster. Lingering faith in faulty perimeter-protection solutions has cost too many organisations dearly. The best response to these attacks is to adopt better protective measures.