Hackers breached security company Verkada to access 150,000 cameras

Hackers breach security company Verkada and gain access to 150,000 surveillance cameras in jails, hospitals, Sandy Hook school, Equinox gyms and a Tesla factory

• Verkada, a Silicon Valley start-up, was hacked on Monday morning
• A collective of international hackers told Bloomberg they did it for ‘fun’
• They also wanted to show how pervasive the surveillance of citizens was
• The hackers obtained the password to a ‘super admin’ account to gain access
• They spied on hospitals, schools, jails, factories, gyms, offices, police stations
• Verkada says the breach has now been contained and they are investigating 

Hackers have broken into a security camera company in Silicon Valley, spying on real-time surveillance camera footage from inside Sandy Hook school, Equinox gyms, hospitals, police stations, prisons and a Tesla factory in Shanghai.

The hackers were part of an international group, and begun their attack on Verkada – which also offers facial recognition capabilities – on Monday morning, they said.

They spied, in real time, on seemingly private residences marked as ‘condos’, shopping malls, credit unions, multiple universities across America and Canada, pharmaceutical companies, marketing agencies, pubs and bars, breweries, a Salvation Army center, churches, the Professional Golfers Association, museums, a newspaper’s office, airports, and more. 

Tillie Kottmann, one of the hackers, told Bloomberg they did it for fun, and accessed 150,000 cameras.

‘Lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism – and it’s also just too much fun not to do it,’ Kottmann said.

A group of computer hackers have accessed 150,000 security cameras owned by Verkada

The Silicon Valley-based startup (pictured) say they now have the attack under control

Verkada told Bloomberg that they have now blocked the hackers’ access.

The hackers said that, when Bloomberg approached Verkada for comment, their access was suddenly cut.

‘We have disabled all internal administrator accounts to prevent any unauthorized access,’ a Verkada representative said in a statement.

Verkada offer a range of internet-accessible surveillance cameras for the home and office

‘Our internal security team and external security firm are investigating the scale and scope of this potential issue.’ 

Verkada told Motherboard they had alerted law enforcement. 

Verkada, founded in 2016, sells security cameras that customers can access and manage through the web.

In January 2020, it raised $80 million in venture capital funding, valuing the company at $1.6 billion. 

The hackers gained access to Verkada through a ‘Super Admin’ account, allowing them to peer into the cameras of all of its customers.

Kottmann said they found a user name and password for an administrator account on the internet.

Kottmann said the security level was ‘abysmal’. 

A source within the company told Bloomberg that Verkada’s chief information security officer, an internal team and an external security firm are investigating the incident.

The company is said to be working to notify customers and set up a support line to address questions.

The hackers provided a spreadsheet to Motherboard which showed more than 24,000 unique entries in the ‘organization name’ column. 

Verkada’s sophisticated surveillance cameras are capable of identifying particular people across time by detecting their faces, and are also capable of filtering individuals by their gender, the color of their clothes, and other attributes. 

Verkada’s cameras were accessed on Monday morning, the hacking group told Bloomberg

Calling themselves ‘Advanced Persistent Threat 69420’ – a reference to the designations cybersecurity firms give to state sponsored hacking groups and criminal cybergangs – the group even accessed footage showing a live feed of Verkada’s offices.

Some of the cameras, including in hospitals, use facial-recognition technology to identify and categorize people captured on the footage.

The hackers say they also have access to the full video archive of all Verkada customers, and some audio.

In a video seen by Bloomberg, a Verkada camera inside Florida hospital Halifax Health showed what appeared to be eight hospital staffers tackling a man and pinning him to a bed.

At Wadley Regional Medical Center, a hospital in Texarkana, Texas, hackers say they looked through Verkada cameras pointed at nine ICU beds.

Hackers also say they watched cameras at Tempe St. Luke’s Hospital, in Arizona, and were also able to see a detailed record of who used Verkada access control cards to open certain doors, and when they did so.

Another video, shot inside a Tesla warehouse in Shanghai, shows workers on an assembly line.

The hackers said they obtained access to 222 cameras in Tesla factories and warehouses.

The hackers also obtained access to Verkada cameras in Cloudflare offices in San Francisco, Austin, London and New York.

Hackers had access to live feeds from the cameras until Bloomberg asked Verkada for comment

The cameras at Cloudflare’s headquarters rely on facial recognition, according to images seen by Bloomberg.

Inside a police station in Stoughton, Massachusetts, a man in handcuffs is being questioned, in a clip also seen by Bloomberg.

Also available to the hackers were 330 security cameras inside the Madison County Jail in Huntsville, Alabama.

Cameras inside the jail were hidden inside vents, thermostats and defibrillators, and used to track inmates and correctional staff using the facial-recognition technology.

They accessed 17 cameras inside Arizona’s Graham County detention facility and found that videos were given titles by the center’s staff and saved to a Verkada account.

One video, filmed in the ‘Commons Area,’ is titled ‘ROUNDHOUSE KICK OOPSIE.’

A video filed inside the ‘Rear Cell Block’ is called ‘SELLERS SNIFFING/KISSING WILLARD???’

Another video, filmed inside ‘Drunk Tank Exterior’ is titled ‘AUTUMN BUMPS HIS OWN HEAD.’

Two videos filmed from ‘Back Cell’ are titled ‘STARE OFF – DONT BLINK!’ and ‘LANCASTER LOSES BLANKET.’

Kottmann said their group was able to obtain ‘root’ access on the cameras, meaning they could control the cameras or hijack them to launch a future attack.

The hack ‘exposes just how broadly we’re being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit,’ Kottmann said.

‘It’s just wild how I can just see the things we always knew are happening, but we never got to see.’ 

Source: Read Full Article