Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

02:30 PM

'Thousands' of Verkada Cameras Affected by Hacking Breach

Thousands of Verkada cameras have been affected by a breach from a group of hackers, who have reportedly gained access to surveillance systems inside several high-profile companies, police departments, hospitals, prisons and schools.

Organizations using the vendor's cameras said to be affected include Tesla and software provider Cloudfare, while Bloomberg has reported that the hackers also gained access to footage inside psychiatric hospitals and health clinics.

Related Content:

Increase in Physical Security Incidents Adds to IT Security Pressures

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: How to Protect Vulnerable Seniors From Cybercrime

The data breach is said to have been carried out by an international hacker collective, with one of the individuals involved explaining the reasons behind the attack were "lots of curiosity, fighting for freedom of information… and it's also just too much fun not to do it."

A Verkada spokesperson told Bloomberg that the company has "disabled all internal administrator accounts to prevent any unauthorised access," and that its internal security team "are investigating the scale and scope of the issue, and we have notified law enforcement."

The company has also set up a support line for its customers.

Many of the cameras utilize video analytics software, including facial recognition and tracking technology. The hackers have said they've been able to access live feeds and archived video, as well as audio.

The breach was described as "unsophisticated," with the hacking group using a "super admin" account to gain access, with the spokesperson from the collective saying they found the administrator username and password on the internet.

The news will likely raise further concerns over the inherent cyber protection in physical security devices — an issue experts have been highlighting for some time, as they call for growing awareness of potential vulnerabilities and the uptake of converged security solutions to cover both cyber and physical attacks.

In IFSEC Global's Video Surveillance 2020 Report, 76% of security end-users and consultants said they were either "quite" or "very" worried about the vulnerability of their surveillance systems to cyber-attacks, with almost half citing "back doors created by manufacturers for customer support and troubleshooting" as the main cause of concern. Inadequate protection within surveillance hardware was cited as the third biggest potential vulnerability in surveillance systems, too.

Sarb Sembhi, CTO & CISO at Virtually Informed, and regular contributor to IFSEC Global on the subject, commented: "If the attackers are to be believed (and there is no reason not to believe them), then creating a device with default username and password that doesn't have to be changed on installation is most obviously bad practice. Especially, given that almost every mass CCTV system attack we hear of has been as the result of this very same issue. One would like to think that any security company, be it physical or cyber security understood the stakes of having high profile clients enough to at least get this one simple thing right.

"I think it interesting that the vendor finishes by saying that law enforcement have been informed — as if that would make up for the fact that they have lapsed in their responsibility to change the admin password. However, a big a failing this may be, so far the industry doesn't seem to have come up with a simple solution for systems managers to be able to create, store and use passwords effectively, or to have added a second authenticating factor in such systems. If there were such solutions, it would reduce the internal discussion around how are we going to remember 150K passwords."

Elisa Costante, VP of Research at Forescout, added: "Connected cameras are supposed to provide an additional layer of security to organizations that install them. Yet, as the shocking Verkada security camera breach has shown, the exact opposite is often true. In this case, the bad actors have seemingly only resorted to viewing the footage these cameras have captured. But they are likely able to cause a lot more damage if they choose to do so, as our own research team has discovered. We were able to intercept, record and replace real-time footage from smart cameras by exploiting unencrypted video streaming protocols and performing a man-in-the-middle attack. This effectively gives criminals a virtual invisibility cloak to physically access premises and wreak havoc in the real world.

"In fact, based on our own research, the Verkada cameras are in widespread use within government and healthcare, leaving those organizations particularly vulnerable to these kinds of attacks. The only way for organizations to adequately protect themselves is to ensure they have a comprehensive device visibility and control platform in place."

This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.

James Moore is the Editor of IFSEC Global, the leading resource for security and fire news in the industry. James was previously Editor of Professional Heating & Plumbing Installer magazine. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.19), Mendix Applications using Mendix 8 (All versions < V8.17.0), Mendix Applications using Mendix 8 (V8.12) (All versions < V8.12.5), Mendix Applications using Mendix 8 (V8.6) (All versions <...
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. An authenticated attacker could exploit this to to plant custom binaries and execute them with System permissions. Exploitation of this issue requires user interaction.
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Improper Access control vulnerability when handling symbolic links. An unauthenticated attacker could exploit this to elevate privileges in the context of the current user.
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. An authenticated attacker could exploit this to rewrite the file of the administrator, which may lead to elevated permissions. Exploitation of this issue requires user interaction.
PUBLISHED: 2021-04-16
SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.php in the `Pugin library - delete` module.