March 11, 2021 | 3 minute read
Digital attackers compromised the live feeds of 150,000 surveillance cameras made by enterprise security camera system manufacturer Verkada. According to Bloomberg News, a hacking collective that calls itself “Advanced Persistent Threat 69420” gained access to Verkada by misusing a “Super Admin” account at the company.
The attackers compromised that administrator account after they found its credentials publicly exposed on the Internet. Subsequently, the individuals used the account to obtain root access on 150,000 surveillance cameras used by Verkada’s customers. This allowed them to view the camera feeds at a hospital based in Florida, a Tesla warehouse in Shanghai and some offices operated by Cloudflare.
Tesla clarified to Bloomberg News that the impact of its exposure was limited: “Based on our current understanding, the cameras being hacked are only installed in one of our suppliers, and the product is not being used by our Shanghai factory, or any of our Tesla stores or services centers. Our data collected from Shanghai factories and other places mentioned are stored on local servers.”
For its part, Cloudflare said that it was using the cameras to monitor the entrances and main thoroughfares in “a handful of offices that have been officially closed for several months.” It went on to clarify that it had disabled the cameras and disconnected them from its network.
The breach didn’t just let the attackers view the live feeds of the surveillance cameras. Root access also gave the attackers the ability to hijack the cameras and misuse them for launching future attacks. Not only that, but it opened the door for them to infiltrate Verkada’s broader corporate network—all without engaging in additional malicious activity.
Advanced Persistent Threat 69420 apparently decided to seize that opportunity and download a list of thousands of the company’s customers along with Verkada’s balance sheet. Bloomberg News reached out to Verkada about the incident. A spokesperson responded with the following statement: “We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”
A member of Advanced Persistent Threat 69420 subsequently clarified to Bloomberg News that the collective had lost access to both the cameras and the archives as a result of this action. Understanding the Ramifications of This Attack.
To understand the ramifications of this breach, I spoke with Yossi Naar, Cybereason’s chief visionary officer and co-founder. Here’s what he had to say:
David Bisson: Could you speak about the implications of an attacker viewing a surveillance camera’s feed? What’s the digital risk there?
Yossi Naar: I suppose the individuals shown in the live feeds could be identified with or without facial recognition depending on how much content and context they have. Blackmail, maybe. It wasn’t the intention of the attackers—at least, it didn’t seem to be. But content leaks could be used for harm. In a way, this was the point of the attackers. Surveillance is a risk to privacy in all its forms, and it could be abused.
DB: Understood. And what about physical security? Is there some danger of malicious actors using a digital compromise of these surveillance cameras to stage physical attacks?
YN: You could conceivably understand how a place works by watching the camera. But there’s a reason why attackers prefer cyber space to the physical realm. Getting caught has a much higher price tag. I’m not sure camera access is the differentiating factor for those seeking physical access, as they could find other ways in. As for espionage, with the focus on cybersecurity, we tend to forget that clandestine organizations have had much more practice in the physical world.
DB: Thanks for clarifying that point. Lastly, does the Verkada breach carry any privacy and/or compliance implications?
YN: Not necessarily. I believe it pertains more to the digital realm. My concern would be more with the content of the footage than the regulatory implications. The goal of the attackers seems to have been illustrating that mass surveillance is a double-edged sword. I think that point was illustrated well in this case. In many areas of privacy, we seem to give up our rights without a second thought until something bad happens, and only then do we concern ourselves with the repercussions. Privacy experts have been warning and demonstrating the cost and the potential harm in losing our privacy, yet it rarely remains a matter of concern for the public at large.
The incident described above highlights the need for organizations to defend against individually tailored attack campaigns that take advantage of weaknesses in their security posture. They can do this by taking an operation-centric approach to security. This involves gaining visibility into the attack chain using Indicators of Behavior (IOBs) so that organizations’ security defenders can shut down the attack within minutes.
David Bisson is an information security writer and security junkie. He's a contributing editor to IBM's Security Intelligence and Tripwire's The State of Security Blog, and he's a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.
Yossi Naar, Chief Visionary Officer and Co-Founder, is an accomplished software developer and architect. During his 20 years of industry experience, Yossi has designed and built many products, from cutting-edge security platforms for the defense industry to big data platforms for the AdTech / digital marketing industry as well as the Cybereason in-memory graph engine.
David Bisson is an information security writer and security junkie. He's a contributing editor to IBM's Security Intelligence and Tripwire's The State of Security Blog, and he's a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.All Posts by David Bisson