A group of hackers claims to have breached a huge treasure trove of security camera data collected by Silicon Valley startup Verkada Inc., gaining access to live images from 150,000 surveillance cameras inside hospitals, businesses, police departments, prisons and schools.
Companies whose footage was exposed include automaker Tesla Inc. and software vendor Cloudflare Inc. In addition, hackers were able to view the video from inside women’s health clinics, psychiatric hospitals and from Verkada’s own offices. Some of the cameras, including in hospitals, use facial recognition technology to identify and categorize people captured in the footage. Hackers claim that they also have access to the full video archive of all Verkada customers.
In a video seen by Bloomberg, a Verkada camera inside Florida’s Halifax Health hospital showed what appeared to be eight hospital workers grabbing a man and pinning him to a bed. Halifax Health is featured on Verkada’s public website in a case study entitled: “How a Florida health provider easily updated and deployed a scalable HIPAA-compliant security system.”
Another video, shot inside a Tesla warehouse in Shanghai, shows workers on an assembly line. The hackers said they gained access to 222 cameras at Tesla’s factories and warehouses.
The data breach was carried out by an international hacking collective and was intended to show the spread of video surveillance and the ease with which systems can be breached, said Tillie Kottmann, one of the hackers who claimed credit for the San Mateo breach in California. Verkada. Kottmann, who uses the pronouns they / they, previously claimed credit for the hacking of chip maker Intel Corp. and automaker Nissan Motor Co. Kottmann said his motives for hacking are “a lot of curiosity, fighting for freedom of information and against intellectual property, a great deal of anti-capitalism, a hint of anarchism – and it’s also a lot of fun not to do it it. ”
“We have disabled all internal administrator accounts to prevent any unauthorized access,” said a Verkada representative in a statement. “Our internal security team and external security company are investigating the scale and scope of this potential problem.”
A person with knowledge of the matter said that Verkada’s director of information security, an internal team and an external security company are investigating the incident. The company is working to notify customers and set up a support line to answer questions, said the person, who requested anonymity to discuss an ongoing investigation.
Representatives from Tesla, Cloudflare and other companies identified in this story did not immediately respond to requests for comment. Representatives of the prisons, hospitals and schools mentioned in this article declined to comment or did not immediately respond to requests for comment.
A video seen by Bloomberg shows police officers at a police station in Stoughton, Massachusetts, questioning a man in handcuffs. Hackers say they also had access to security cameras at Sandy Hook Elementary School in Newtown, Connecticut, where a sniper killed more than 20 people in 2012.
Also available to hackers were 330 security cameras inside Madison County prison in Huntsville, Alabama. Verkada offers a feature called “People Analytics”, which allows customers to “search and filter based on many different attributes, including gender characteristics, clothing color and even a person’s face”, according to a post by Verkada blog. Images seen by Bloomberg show that cameras inside the prison, some of which are hidden in vents, thermostats and defibrillators, track inmates and correctional officers using facial recognition technology. The hackers claim to have been able to access live feeds and archived videos, in some cases including audio, from interviews between police and crime suspects, all in the high-definition resolution known as 4K.
Kottmann said his group was able to get “root” access to the cameras, meaning that they could use the cameras to run their own code. Such access may, in some cases, allow them to rotate and gain access to the wider corporate network of Verkada’s customers or hijack the cameras and use them as a platform to launch future hacks. Achieving this degree of access to the camera did not require any additional hacking, as it was a built-in feature, said Kottmann.
The hackers ‘methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, allowing them to spy on all of their customers’ cameras. Kottmann says he found a username and password for an administrator account publicly exposed on the Internet. After Bloomberg contacted Verkada, hackers lost access to video files and feeds, Kottmann said.
The hackers say they have managed to spy on several locations on the Equinox fitness network. At Wadley Regional Medical Center, a hospital in Texarkana, Texas, hackers say they looked through Verkada cameras aimed at nine ICU beds. Hackers also say they watched cameras at Tempe St. Luke’s Hospital in Arizona, and were also able to see a detailed record of who used Verkada access control cards to open certain doors, and when they did. A Wadley representative declined to comment.
The hack “exposes how widely we are being watched and how little care is put into at least protecting the platforms used to do this, looking for nothing but profit,” said Kottmann. “It’s amazing how I can see the things that we’ve always known are going on, but we never get to see.” Kottman said they obtained access to the Verkada system on Monday morning.
Verkada, founded in 2016, sells security cameras that customers can access and manage over the web. In January 2020, it raised $ 80 million in venture capital financing, valuing the company at $ 1.6 billion. Among the investors was Sequoia Capital, one of the oldest companies in Silicon Valley.
Kottmann calls the hacking collective “Advanced Persistent Threat 69420”, a carefree reference to the designations cybersecurity companies give to state-sponsored hacker groups and criminal cybergangs.
In October 2020, Verkada fired three employees after reports emerged that workers used their cameras to take pictures of female colleagues inside Verkada’s office and make sexually explicit jokes about them. Verkada CEO Filip Kaliszan said in a statement to Vice at the time that the company “fired the three individuals who instigated this incident, engaged in blatant behavior targeting co-workers or forgot to report the behavior, despite their obligations as managers ”.
Kottmann said it was possible to download Verkada’s full list of thousands of customers, as well as the company’s balance sheet, which lists assets and liabilities. As a privately held company, Verkada does not publish its financial statements. Kottman said the hackers looked through the camera of a Verkada employee who installed one of the cameras inside his home. One of the saved camera clips shows the employee completing a puzzle with his family.
“If you are a company that has purchased this network of cameras and is placing them in confidential locations, you may not have the expectation that, in addition to being watched by your security team, there is an administrator at the camera company who is also watching” , said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, who was briefed on the breach by Bloomberg.
At the Graham County, Arizona, detention center, which has 17 cameras, the videos receive titles from the center’s staff and are saved to a Verkada account. A video, filmed in the “Commons Area”, is entitled “ROUNDHOUSE KICK OOPSIE.” A video archived within the “Rear Cell Block” is called “SNIFFING / KISSING WILLARD SELLERS ???” Another video, filmed inside “Drunk Tank Exterior”, is titled “OUTUMN BUMPS HIS OWN HEAD”. Two videos shot from “Back Cell” are entitled “STARE OFF – DONT BLINK!” and “LANCASTER LOSES BLANKET.”
Hackers also gained access to Verkada cameras at Cloudflare’s offices in San Francisco, Austin, London and New York. The cameras at Cloudflare headquarters have facial recognition, according to images seen by Bloomberg.
Security cameras and facial recognition technology are often used inside corporate offices and factories to protect proprietary information and protect against internal threats, said EFF Galperin.
“There are many legitimate reasons to be vigilant within a company,” added Galperin. “The most important thing is to have the informed consent of your employees. This is usually done within the employee handbook, which no one reads. “