A group of hackers broke into startup Verkada’s database and viewed images of 150,000 surveillance cameras inside hospitals, businesses, police departments, prisons, schools.
|An image of the interior of the Madison county prison through a Verkada surveillance camera. (Image: Bloomberg)|
Companies exposed to security camera images include electric vehicle maker Tesla and software vendor Cloudfare. In addition, hackers can watch videos from women’s health facilities, psychiatric hospitals and even Verkada’s offices. Some cameras use facial recognition technology to identify and classify people in videos. Hackers also hacked into the library that hosted all Verkada customer videos.
A video watched by Bloomberg showed a view of a Tesla warehouse in Shanghai, where workers were working on the assembly line. Hackers reported gaining access to 222 cameras at the Tesla factory and warehouse.
According to Tillie Kottmann, one of the hackers responsible for the Verkada attack, the incident was jointly done by an international hacker group to demonstrate the popularity of video surveillance and its ability to break into systems easily. Previously, Kottmann also attacked chipmaker Intel and car maker Nissan.
A Verkada spokesperson said it has disabled all internal administrator accounts to prevent future illegal access. The company is investigating the scale of the incident and notifying the authorities and customers, setting up a hotline to answer questions.
Hackers also infiltrated 330 security cameras inside Madison County prison in Huntsville, Alabama. Verkada provides a “People Analytics” feature, allowing customers to “find and filter based on many attributes, including gender, clothing color, face”. The hacker stored several videos with audio and photos of police interviews and suspects, all in 4K format.
Kottmann says the group has “root” access to the camera, meaning the camera can be used to execute commands remotely. In some cases, it leads to accessing Verkada’s large customer network or attacking cameras and using them as the basis for future attacks. Surprisingly, there was no need for sophisticated attack techniques.
Kottmann revealed they found a Verkada Super Admin account exposed on the Internet and used it to perform the hack on Monday morning (March 8).
Verkada founded in 2016, sells security cameras for customers to access and manage via the web. In January 2020, this startup raised $ 80 million in investment, raising its valuation to $ 1.6 billion. In October 2020, they fired 3 employees after receiving reports of using cameras to sneak photos of female colleagues at the Verkada office and tease each other.
The hacker group downloaded a complete list of Verkada customers as well as the company’s financial sheet. As a private company, Verkada does not publish financial statements.
Du Lam (According to Bloomberg)
The White House warns of a Microsoft Exchange vulnerability
On March 7, the White House urged organizations to consider whether their systems are targeted after the attack on Microsoft Exchange servers.