The Verkada breach again demonstrates cyberattacks can happen to anyone, even a hotshot cloud-based video surveillance solutions provider who claims to pride itself in cybersecurity.
A Bloomberg report said that 150,000 Verkada cameras were breached by hackers who accessed video at various Verkada customer sites. This again demonstrates cyberattacks can happen to anyone, even a hotshot cloud-based video surveillance solutions provider who claims to pride itself in cybersecurity.
We’ve seen a fair amount of reports on cyber issues in video surveillance. Another one
was added today as Bloomberg reported that 150,000 Verkada cameras were breached. According to the report, the group of hackers responsible for this were able to view Verkada customer sites including hospitals, prisons and schools, while Verkada customers who were affected include Tesla and software provider Cloudflare.
And Bloomberg was rather detailed about what they were able to see, including inside a Florida hospital where eight staffers appeared to be tackling a man and pinning him to a bed. Bloomberg also reported of another video showing inside of a Tesla warehouse in Shanghai where workers were working on an assembly line, as the hackers claimed to have obtained access to 222 cameras in Tesla factories and warehouses.
According to Bloomberg, the hacking was carried out by an “international hacker collective.” The news service reported on one of the hackers who said their reasons for hacking were “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism – and it’s also just too much fun not to do it.”
What’s alarming is the simplicity with which the hack was executed. According to Bloomberg, the hackers “gained access to Verkada through a ‘Super Admin’ account, allowing them to peer into the cameras of all of its customers.” The hacker that Bloomberg reported on said they “found a user name and password for an administrator account publicly exposed on the Internet.”
As of the time of this article, Verkada hasn’t posted an official response on the news/PR section of its website. The Bloomberg article quotes Verkada as saying: “We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”
Verkada suffering from this major breach is a bit ironic, considering the company seemingly prides itself in cybersecurity. A “security principles” document
from Verkada reads: “Committed to cybersecurity – At Verkada, we know it’s mission-critical to keep your data secret and safe. We’re dedicated to creating a peerlessly secure, modern surveillance solution,” before going on to explain the cybersecurity measures it has taken.
Verkada is a cloud-based security solutions provider based in San Mateo, California. It has emerged as one of the fastest-growing security companies in the industry. According to Business Journal
, the company’s valuation jumped to US$1.6 billion in the beginning of last year after receiving an $80 million Series C funding.
Cloud is indeed gaining popularity in video surveillance due to the fact users don’t have to purchase equipment like NVRs and servers. Some users also adopt a hybrid model. This is done by storing important video, for example, on-premises and pushing other feeds to the cloud. Or, the user can store video on-premises for a certain period and push it to the cloud at a later time.
There’s a perception that cloud-based video surveillance is more cyber-secure, given security issues are taken care of by the VSaaS provider. Yet as the Verkada example shows, cloud being more secure is not always the case. Indeed, as Yang Chao-chien of Trend Micro said in a recent event
held by Info Security, asmag.com’s sister media platform, using a cloud service still has certain risks as hackers are still able to find vulnerabilities at the system, application and network levels.
It’s therefore incumbent upon the VSaaS provider to take every precaution to secure their offerings, lest seeing the kind of humiliation suffered by Verkada this time. The full impact of the incident remains to be seen. What we can expect is it will take some time for Verkada to build back its reputation.