Most people would assume having security cameras at a facility provides peace of mind and offers additional protection. However, when everything from televisions to security cameras are connected to networks, they also can open up organizations to network-based hacks and attacks.
According to a report by Bloomberg, Silicon Valley startup Verkada, a company that offers cloud-based security camera services, has suffered a massive cybersecurity breach. A group of hackers claim to have gained access to data from more than 150,000 security cameras installed in schools, factories, businesses, prisons, hospitals and more. Companies impacted include carmaker Tesla, software provider Cloudfare, Equinox gyms, many hospitals and prisons and even Verkada’s own offices.
The Verkada security breach showed the ease with which many systems can be compromised now that more devices are connected as part of the internet of things (IOT). IOT and operational technology (OT) devices are essentially acting as computer systems that can be infiltrated, especially if sufficient care isn’t taken to protect them. Once someone with malicious intent gains access into a system, they can linger for weeks or months looking for sensitive information, said Bryan Bennett, cybersecurity practice leader at Environmental Systems Design (ESD).
“There are 30,000 new forms of malware that are created a day, trying to break through every single thing everybody has,” Bennett said. “I mean, 53% or 54% of all businesses were hacked last year. That means if you didn’t get hacked last year, it’s your turn, just by playing the odds. So you just have to be prepared and vigilant all the time.”
According to Bloomberg, the data breach was carried out by an international hacker collective that wanted to show the pervasiveness of video surveillance and how easy it was to break into those systems. Tillie Kottmann, one of the hackers who claimed credit for the attack, told Bloomberg their reasons for hacking were “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism – and it’s also just too much fun not to do it.”
The Verkada security breach was apparently relatively unsophisticated. The collective was able to gain “Super Admin” access to the company’s systems via a username and password they found publicly available on the internet. Once they were in, they were able to obtain “root” access to the cameras, which allowed them entry into the internal networks of some of Verkada’s customers.
“If you have a facility that has a lot of cameras, just surveillance cameras, every one of those requires a password,” Bennett said. “If you don’t change that default password and I’m just sitting in a lobby area or doing whatever I would be doing, I can literally find each one by a MAC address, look for the password, and if that one wasn’t changed, I can find it. In addition, if you change them all to the same password and then it gets discovered, it’s just as bad as the default password.
“They have to be unique and different but recorded in some place that can’t be discovered by a third-party entity. Even if it was somebody that was working on the campus. Their default password should not work because if you have a disgruntled employee, then he or she still knows how to hack into your stuff because they still have all the tools.”
A Verkada spokesperson told Bloomberg the company has disabled all internal administrator accounts to prevent further unauthorized access and has notified law enforcement of the breach. The company is in the process of investigating the full scale and scope of the attack.
Cyberattacks on SolarWinds and Oldsmar: CEO Interview Series, John Livingston, Verve Industrial
Oldsmar water treatment facility attack is an example of rising cyber threat
Cybersecurity Management: CEO Interview Series, Pranav Patel, ResiliAnt