Organizations using the vendor's cameras said to be affected include Tesla and software provider Cloudfare, while Bloomberg has reported that the hackers also gained access to footage inside psychiatric hospitals and health clinics.
The data breach is said to have been carried out by an international hacker collective, with one of the individuals involved explaining the reasons behind the attack were "lots of curiosity, fighting for freedom of information… and it's also just too much fun not to do it."
A Verkada spokesperson told Bloomberg that the company has "disabled all internal administrator accounts to prevent any unauthorised access," and that its internal security team "are investigating the scale and scope of the issue, and we have notified law enforcement."
The company has also set up a support line for its customers.
Many of the cameras utilize video analytics software, including facial recognition and tracking technology. The hackers have said they've been able to access live feeds and archived video, as well as audio.
The breach was described as "unsophisticated," with the hacking group using a "super admin" account to gain access, with the spokesperson from the collective saying they found the administrator username and password on the internet.
The news will likely raise further concerns over the inherent cyber protection in physical security devices — an issue experts have been highlighting for some time, as they call for growing awareness of potential vulnerabilities and the uptake of converged security solutions to cover both cyber and physical attacks.
In IFSEC Global's Video Surveillance 2020 Report, 76% of security end-users and consultants said they were either "quite" or "very" worried about the vulnerability of their surveillance systems to cyber-attacks, with almost half citing "back doors created by manufacturers for customer support and troubleshooting" as the main cause of concern. Inadequate protection within surveillance hardware was cited as the third biggest potential vulnerability in surveillance systems, too.
Sarb Sembhi, CTO & CISO at Virtually Informed, and regular contributor to IFSEC Global on the subject, commented: "If the attackers are to be believed (and there is no reason not to believe them), then creating a device with default username and password that doesn't have to be changed on installation is most obviously bad practice. Especially, given that almost every mass CCTV system attack we hear of has been as the result of this very same issue. One would like to think that any security company, be it physical or cyber security understood the stakes of having high profile clients enough to at least get this one simple thing right.
"I think it interesting that the vendor finishes by saying that law enforcement have been informed — as if that would make up for the fact that they have lapsed in their responsibility to change the admin password. However, a big a failing this may be, so far the industry doesn't seem to have come up with a simple solution for systems managers to be able to create, store and use passwords effectively, or to have added a second authenticating factor in such systems. If there were such solutions, it would reduce the internal discussion around how are we going to remember 150K passwords."
Elisa Costante, VP of Research at Forescout, added: "Connected cameras are supposed to provide an additional layer of security to organizations that install them. Yet, as the shocking Verkada security camera breach has shown, the exact opposite is often true. In this case, the bad actors have seemingly only resorted to viewing the footage these cameras have captured. But they are likely able to cause a lot more damage if they choose to do so, as our own research team has discovered. We were able to intercept, record and replace real-time footage from smart cameras by exploiting unencrypted video streaming protocols and performing a man-in-the-middle attack. This effectively gives criminals a virtual invisibility cloak to physically access premises and wreak havoc in the real world.
"In fact, based on our own research, the Verkada cameras are in widespread use within government and healthcare, leaving those organizations particularly vulnerable to these kinds of attacks. The only way for organizations to adequately protect themselves is to ensure they have a comprehensive device visibility and control platform in place."
This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.