Verkada, a video and AI security company that sells security cameras that customers can access via the internet, has recently suffered a security breach that gave hackers access to more than 150.000 cameras belonging to the company. The footage included material from Tesla factories and Cloudflare offices, but also videos from hospitals, companies, police departments, schools, and even prisons.
“This breach should be a wake-up call to the dangers of self-surveillance,” said Andrew G. Ferguson, a law professor at American University Washington College of Law. “We are building networks of surveillance we cannot escape from without really thinking about the consequences. Our desire for some fake sense of security is its own security threat.”
Just a warning shot
Tillie Kottmann, a member of the hacker collective Advanced Persistent Threat 69420, that is responsible for the breach, said that the group’s purpose was to show how easy it is to hack the company’s security cameras. They also added that their access was not restricted to just the live feeds, but that they could also view the full video archive of all of Verkada’s customers.
“We generally do not do targeted work. We all have ADHD and not a lot of patience,” Kottmann said. “It still feels incredibly surreal the amount of foothold I was able to gain from this. That’s the irony of this whole thing: All the cool features they provide for security are exactly why everything broke.”
How did they do it
Since Verkada’s hardware connects to the Internet via its cloud service, this allows customers to not just watch and even save the real-time video they’re interested in, but also use the company’s “People Analytics” software, an artificial-intelligence feature that allows the viewer to track a person as they move around a room or building.
This is done automatically by the software by using just a few distinctive features, such as a certain color they’re wearing, if they have a particular accessory with them, for example, a backpack or a purse, their expression, and even their “apparent sex”. All this using high-resolution cameras whose prices start at $599, while the cloud licenses sell at less than half of that – $199 a year.
The Silicon Valley company even sells a $1,999 “viewing station.” According to the company’s website, the VX51 “is a dedicated device that streams up to 36 camera feeds simultaneously to any display with ultra-low latency, crisp video playback, and customizable layouts.” The license price for this “viewing platform of choice for customers with mission-critical real-time viewing requirements” begins at $499 for one year and goes as high as $3,999 for 10 years.
Verkada security, embarrassingly simple to bypass
For a company that advertises itself as “Smarter Security, Safer Buildings” due to their strategy of “approaching safety with a software-first approach” and thus “making security as seamless and modern as the organizations we protect,“ the hacking method used by the Advanced Persistent Threat 69420 made it seem embarrassingly simple.
The hacker collective gained “Super Admin”-level access to the system of the video security company after finding a publicly available username and password on the internet and using it to log in into the system.
Alarming statistics: “For every one of these you hear about, there are 10 others you don’t.”
Liz O’Sullivan, the technology director for the nonprofit advocacy group Surveillance Technology Oversight Project, thinks that this gathering of both personal videos and data that is currently done en masse by tech companies has created a massive opportunity for hackers who are constantly probing for vulnerabilities.
“This is the hypocrisy of the surveillance network: Anything you create under the guise of making more safety is a tool that can be turned against you,” O’Sullivan stated. “The more we centralize power into the hands of a few tech companies, the more at risk we are of things like this,” she added. And “for every one of these you hear about, there are 10 others you don’t.”
The hacker group gained access to Verkada cameras inside Halifax Health, a Florida hospital; Sandy Hook Elementary School in Newtown, Connecticut; Madison County Jail in Huntsville, Alabama; and Wadley Regional Medical Center, a hospital in Texarkana, Texas. And this is only the tip of the iceberg.
As a matter of fact, Tillie Kottmann also stated that their reasons for hacking are “lots of curiosity, fighting for the freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism -and it’s also just too much fun not to do it.”
After the incident, the Twitter profile of Tillie Kottmann, dubbed “APT 69420 Arson Cats,” was banned from the social media platform after the group disclosed how it had access to live feeds from more than 150,000 of the company’s security cameras.