Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/15/2021
09:55 AM
100%
0%

Verkada Breach Demonstrates Danger of Overprivileged Users

In re-evaluating supply chains, companies should classify vendors with super admin privileges to devices or backdoors as a significant threat.

Uber's God Mode. Hard-coded passwords in networking products. Rosenbridge processor backdoors. And now Verkada's super admin account that reportedly gave hackers — as well as more than 100 internal users — access to videos from tens of thousands of client cameras.

The list of massive security failures due to product or service architectures that give a single user or group unfettered privileges continues to grow. In the latest case, hackers gained access to a super admin account for the cloud service of security-camera startup Verkada, enabling them to view videos from nearly 150,000 cameras. Prisoners in county jails, factories for carmaker Tesla, and the offices of Internet-infrastructure firm Cloudflare were all viewable using privileged access, according to reports and hacker statements.

Related Content:

Leaked Development Secrets a Major Issue for Repositories

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Contemplating the Coffee Supply Chain: A Horror Story

Accounts that have backdoor access to devices or unlimited service capabilities significantly undermine security — even more so as supply chain attacks have become more common, says Jeff Costlow, chief information security officer at ExtraHop, a cloud security firm.

"I'm OK with vendors having the ability to auto-update the device," he says. "That means they have control over the source code. But that doesn't mean that they have control over the device any time they want."

The massive breach of privacy of Verkada's customers highlights that companies — often, startups — have not always adopted best practices for privileged access to systems. The lesson is learned with regularity, often when a vendor's clients or customers have their security or privacy compromised.

A decade ago, for example, ride-share service Uber created a "God Mode" that gave administrators access to any Uber user's ride history, leading to a variety of abuses, including spying on the habits of celebrities, tracking reporters' movements, and stalking exes. Network and Internet of Things devices — from Cisco, Ubiquiti, and others — repeatedly have been found to have hard-coded or default passwords exposing the admin interface. And at the 2018 Black Hat Security Briefings, security research Christopher Domas demonstrated a way to gain Ring-0 privilege on older processors. While the technique was limited by the age of vulnerable processors, it demonstrated the prevalence of devices that have privileged access locked by a simple hard-coded secret.

"Backdoors built by default into a product with a standard reused secret is a dangerous thing," says Ray Canzanese, director of the threat labs at cloud security provider Netskope. "A leak of that secret means that anybody can now access any of those devices. And we, the industry, concluded long ago that is not a good approach to security."

Verkada issued an apology on Friday, acknowledging the breach of "video and image data from a limited number of cameras," but also suggested the company will retain the ability to view any client's video stream. The video service will, however, create a better approach to logging access to customers' data, has prioritized the hiring of security engineers, and has contracted with third-party security consultants to conduct a review, CEO Filip Kaliszan said in the statement.

"While we already have robust logging and audit capabilities, we will ensure that customers receive proactive notifications whenever their data is accessed by Verkada, including by our technical staff," Kaliszan said.

While many vendors retain some level of access to devices and services, suppliers should review what privileges are necessary to maintain their products and services and clearly communicate that to customers, says ExtraHop's Costlow. 

While a managed service provider is explicitly given access to devices, most businesses do not expect vendors to have the same level of access. Any such access should have significant controls, restrictions, and auditing in place, he says.

"It is considered brittle security when you have one control protecting everything, and that is what appears to be the case here," Costlow says. "Once you have access to one [credential], you've got access to everything — that is an anti-pattern. That is not the way that it should be designed."

On Friday Swiss authorities raided the apartment and seized the electronic devices of Tillie Kottmann, the hacker responsible for sharing video and images of the compromise, according to a Bloomberg News report. Tweets posted to Kottmann's now-removed Twitter feed suggest the hacker and possible associates — using the moniker "APT-69420 Arson Cats" — had targeted the companies seemingly out of pique.

"APT-69420 wishes all companies affected a very have fun (sic) doing incident response," Kottmann tweeted, according to a detailed Cloudflare blog post responding to the incident.

The incident could have been much worse. Cloudflare, for example, said in its post that the breach only accessed the video cameras and that the company's implementation of a zero- trust architecture limited any breach.

"[I]f we had been using the old castle-and-moat style of corporate networking (where anything and anyone on the corporate network are inherently trusted) the outcome could have been different," stated John Graham-Cumming, chief technology officer at Cloudflare, in the blog post. "This is why Zero Trust is so powerful. It allowed us all to work from home because of COVID-19 and it means that an attacker who got into the office network doesn’t get any further."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-35210
PUBLISHED: 2021-06-23
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
CVE-2021-27649
PUBLISHED: 2021-06-23
Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2021-29084
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2021-29085
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2021-29086
PUBLISHED: 2021-06-23
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.