Hackers aiming to draw attention to the dangers of mass surveillance said they were able to spy inside hospitals, schools, factories, prisons and corporate offices after they broke into security camera boot systems.
That California startup, Verkada, said on Wednesday that it is investigating the scope of the breach, first reported by Bloomberg, and notified the authorities and their customers.
Swiss hacker Tillie Kottmann, a member of the group calling himself APT-69420 Arson Cats, described him in an online chat with the Associated Press as a small collective of “queer hackers mainly, not supported by any nation or capital, but rather supported by the desire to have fun, be gay and a better world. ”
They were able to gain access to a “super” Verkada administrator account using valid credentials found online, said Kottmann. Verkada said in a statement that he has since disabled all internal administrator accounts to prevent any unauthorized access.
But for two days, the hackers said, they were able to peek unobstructedly through live feeds of potentially tens of thousands of cameras, including many that looked at sensitive locations, such as hospitals and schools. Kottmann said this included external and internal cameras at Sandy Hook Elementary School in Newtown, Connecticut, where 26 first graders and six educators were killed in 2012 by a sniper in one of the deadliest school shootings in the history of the United States.
The school district superintendent did not return calls or emails requesting comments on Wednesday.
One of Verkada’s affected customers, the San Francisco Cloudflare security and web infrastructure company, said Verkada’s compromised cameras were guarding the entrances and main thoroughfares of some of its offices that had been closed for nearly a year due to the pandemic.
“As soon as we became aware of the agreement, we deactivated the cameras and disconnected them from the office networks,” said spokeswoman Laurel Toney. “No customer data or processes were affected by this incident.”
Another San Francisco technology company, Okta, said that five cameras placed at the entrance to the offices were compromised, although there is no evidence that anyone saw the broadcasts live.
Twitter said it has permanently suspended Kottmann’s account, which has posted materials collected in the hack, for violating its ban evasion rules, which typically happens when users start a new account to circumvent an earlier suspension. Kottmann had received a message from Twitter suspending the account for violating its rules against the distribution of hacked material, the hacker said.
The Verkada footage captured and shared by hackers included a Tesla facility in China and the Madison County prison in Huntsville, Alabama. Madison County sheriff Kevin Turner said in a statement on Wednesday that the prison took the cameras down, adding “we are confident that this unauthorized release has not affected and will not affect the safety of employees or prisoners.” Tesla did not respond to requests for comment.
Verkada, based in San Mateo, California, launched its cloud-based surveillance service as part of the next generation of workplace safety. Its software detects when people are in the camera’s field of view, and a “Person History” feature allows customers to recognize and track individual faces and other attributes, such as clothing color and likely gender. Not all customers use the facial recognition feature.
The company attracted negative attention last year when the news site for the video surveillance industry IPVM reported that Verkada employees distributed photos of co-workers collected by the company’s internal cameras and made sexually explicit comments about them.
Cybersecurity expert Elisa Costante said it is worrying that this week’s hack is unsophisticated and simply involves using valid credentials to access a huge treasure trove of data stored on a cloud server.
“What is worrying is to see how much real-life data can go into the wrong hands and how easy it can be,” said Costante, vice president of research at Forescout. “It is a warning sign to ensure that, whenever you are collecting so much data, we need to have basic hygiene security.”
Kottmann said the hacker collective, active since 2020, does not seek specific targets. Instead, it scans organizations on the Internet for known vulnerabilities and then works to “just restrict and exploit interesting targets”.