Cybercriminals hack over 150,000 security cameras; espionage risk active

Verkada, a startup company that provides a cloud-based security camera system, acknowledged that it was affected by a security incident, allowing threat actors to access more than 150,000 security cameras installed on the premises of all kinds of organizations, including Cloudflare, Tesla, Equinox, and even prisons, schools, and police stations.

Verkada sells internet-connected security cameras, using the approach known as “software first.” Cloud-connected cameras include a sophisticated web-based interface for businesses to control their streams and also offer facial recognition software as a Premium option.

Soon after, Tillie Kottmann, a member of the international hacking effort responsible for the incident stated that his goal was to show how vulnerable the systems operating in the company’s security cameras are. In addition to live streaming of affected cameras, hackers would also have accessed the full video logs.

In this regard, a Verkada representative mentioned: “As a security measure, we deactivate all administrator accounts to prevent any unauthorized access to these resources; our security team is already in collaboration with an internal firm to investigate the actual scope of the incident.”

On the method of attack used by hackers, it appears that this group gained “super administrator” level access to affected systems using a username and password exposed on the Internet. Once there, threat actors gained access to the company’s entire network, including root access to cameras and live streaming.

The company has also been criticized in the past for allegations of sexism and discrimination following a 2019 incident in which a sales director used security cameras at its facility to harass his co-workers and post private images on The Slack Employees channel of Verkada.

So far, improper access to Verkada cameras has been confirmed at facilities in organizations such as Tesla, Cloudflare, Florida’s Halifax Health Hospital Center, Sandy Hook Elementary School, Madison County Jail in Alabama, among other public and private organizations. Hackers also claimed to have personal and financial information from thousands of users and employees of the company.

The hackers who claimed responsibility for the attack do not yet mention whether their intention is to obtain a ransom in exchange for not disclosing this information, although the cybersecurity community does not rule out the ransom demand occurring in the coming days.