Founded in 2016, Verkada is a security company that focuses on surveillance and facial recognition through the use of sophisticated software in security cameras.
Its products are used by thousands of organizations around the globe, including hospitals, police departments, prisons, schools, and well-known companies such as Tesla and Cloudflare.
Now, a hacking group says they have accessed thousands of live feeds from Verkada's cameras around the world. According to Vice, this includes more than 24,000 unique organizations.
And Verkada's security cameras are not like your typical baby monitor or puppy cam.
No, these cameras are an extremely powerful part of the Internet of Things (IoT). They have the ability to identify individuals by detecting their faces, and are capable of filtering individuals by their gender, the color of their clothes, and other characteristics. The camera's AI can also detect "unusual motion" and use all of the gathered information to search, over time, for footage that includes a specific individual.
The Verkada camera hack: what happened?
Verkada's CEO Filip Kaliszan posted a special security update to the company's website. It appears to be the breach notification sent to customers, and it explains what happened:
"First, we have identified the attack vector used in this incident, and we are confident that all systems were secured as of approximately noon PST on March 9, 2021, and remain secure today. If you are a Verkada customer, no action is required on your part.
The attack targeted a Jenkins server used by our support team to perform bulk maintenance operations on customer cameras, such as adjusting camera image settings upon customer request. We believe the attackers gained access to this server on March 7, 2021 and maintained access until approximately noon PST on March 9, 2021. In gaining access to the server, the attackers obtained credentials that allowed them to bypass our authorization system, including two-factor authentication.
We can also confirm that the attackers gained access to a tool that allowed the execution of shell commands on a subset of customer cameras; however we have no evidence at this time that this access was used maliciously against our customers' networks. All shell commands issued through our internal tool were logged."
What type of data or video was accessed in the Verkada hack?
In his letter to customers, Kaliszan explained what the company knows so far about hacker access to its systems, video feeds, and data. This includes:
- "Video and image data from a limited number of cameras from a subset of client organizations.
- A list of our client account administrators, including names and email addresses. This list did not include passwords or password hashes.
- A list of Verkada sales orders. Sales order information is used by our Command system to maintain the license state of our customers. This information was obtained from our Command system and not from other Verkada business systems."
Verkada camera breach: what hackers are saying
One hacker from the group responsible for this attack spoke with Bloomberg, which broke the story. That individual says the intent was "to show the pervasiveness of video surveillance and the ease with which systems could be broken into."
And when asked about their reasoning for hacking in general, they had quite an interesting response:
"Lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism—and it's also just too much fun not to do it."
The hacking group claims they found a username and password for an administrative account publicly exposed on the internet. That seems like a plausible explanation given the CEO's statement above.
They say the group then gained "root" access to the cameras, meaning they could use the cameras to execute their own code. In some cases, they were able to obtain access to the broader corporate network of Verkada's customers, and even hijack the cameras and use them as a platform to launch future hacks.
This story serves as a stark reminder: the more connected our world becomes, the larger the attack surface that can be reached with a keyboard and some mouse clicks.
For more information regarding this incident, you can read Verkada's security update.