Hackers have breached a massive amount of data of the security-camera via Silicon Valley startup Verkada Inc. They have gained access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools in the US. Further, hackers successfully accessed feeds from Verkada customers including Tesla, Cloudflare, Equinox; Florida hospital system Halifax Health, Wadley Regional Medical Center in Texas and many more. Additionally, hackers were able to view video from inside women’s health clinics, psychiatric hospitals and the offices of Verkada itself.
One of the images that the hackers have let out, is a jail cell block. Another has a man wearing a fake beard dancing in a bank storage room. The images that the hackers captured, they posted on Twitter with a hashtag – #OperationPanopticon. Further, Verdaka Inc has stated that they have disabled all internal administrator accounts to prevent any unauthorized access. The team is investigating the scale and scope of this issue. They have also notified law enforcement, reports state.
Verdaka runs a platform that operates security systems online. Some of the cameras, including in hospitals, use facial-recognition technology to identify and categorize people captured on the footage. The hackers say they also have access to the full video archive of all Verkada customers. The massive data leak happened at Verkada last week. A deployment architecture of the vendor has led to leaks of the video footages and complete takeover of the CCTV cameras and further breach into the machines and servers. Smart cities too should be worried about these.
A cyber expert said, the potential for breaching common IoT devices, like security cameras, is something everyone has been talking about for years. “Cameras, much like other hardware devices, are often manufactured with built-in or hardcoded passwords. These, the customer, rarely, if ever, changes. While we can’t be sure that’s what happened in this case, recent breaches certainly have ‘scale’ in common; demonstrating attackers’ growing confidence and precision. They have the ability to efficiently extrapolate weaknesses for impact,” he said.
While Verkada reportedly took the right steps to disable all internal administrator accounts to prevent any unauthorized access, it was likely too late. The attackers had already landed. Based on what’s been reported, this attack follows a well-worn attack path – target privileged accounts with administrative access, escalate privileges to enable lateral movement and obtain access to highly sensitive data and information – effectively completing the intended goal. What we’ll need to especially watch in this case is the potential for far-reaching implications for privacy regulations including HIPAA.
For a company who has purchased this network of cameras and have put them in sensitive places, they may not have the expectation that in addition to being watched by your security team that there is some admin at the camera company who is also watching. All the cameras or management Applications are connected to internet and cloud storage for many of us.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
