The video security and AI company Verkada was breached, giving hackers access to more than 150,000 Internet-connected security cameras that were being used in schools, prison cells, hospital ICUs and large companies like Tesla, Nissan, Equinox, Cloudflare and others.
The hack was conducted by an anti-corporate hactivist group called APT-69420, based in Switzerland. According to the group’s representative Till Kottmann, they accessed Verkada’s systems on March 8 and the hack lasted 36 hours. She described Verkada, a startup based in Silicon Valley, as a “fully centralized platform” that made it easier for your team to access and download images from thousands of security cameras. The leaked footage appears to include large companies and institutions, but not private residences.
The video and images are intended to capture a range of activities that can be confidential, such as security video from the Tesla car manufacturing line and a screenshot from inside the security company Cloudflare. Some of the material is highly personal, including videos of patients in intensive care units at hospitals and prisoners at Madison County Jail in Huntsville, Alabama.
Kottman described security on Verkada systems as “non-existent and irresponsible” and said his group was targeting the company to demonstrate how easy it is to access Internet-connected cameras placed in highly confidential locations.
Supplied by Till Kottmann
Verkada said he has notified his clients of the hack and that his security teams are working with an outside security company to investigate it. Verkada told CBS News: “We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security company are investigating the scale and scope of this problem and we have notified the authorities.”
Supplied by Till Kottmann
The FBI made no comment. CBS News contacted Tesla and Equinox, but they were not available for comment at the time this story was published.
Kottmann provided CBS News with a 5 gigabyte file containing video and images of the hack, and described the attack as “non-technical” and not difficult to carry out.
Supplied by Till Kottmann
Kottmann said his group discovered a Verkada administrator username and password stored in an unencrypted subdomain. The company, she said, exposed an internal development system for the Internet, which contained encrypted credentials for a system account that, she said, gave them full control over the system with “super administrator” rights.
“We do very large vector scans for vulnerabilities. This was easy. We just used your web application the way any user would, except that we had the ability to switch to any user account we wanted. We didn’t access any servers. Simply we log into your web user interface with a highly privileged user [account]”Said Kottmann.
Kottmann said his hacker group is not motivated by money or sponsored by any country or organization. “APT-69420 is not supported by any nation or corporation, supported by anything other than being gay, fun and anarchy,” she said.
When asked if she feared repercussions, Kottman replied, “Maybe I should be a little more paranoid, but at the same time what would that change? I will be as focused as I am now.”