Uber's God Mode. Hard-coded passwords in networking products. Rosenbridge processor backdoors. And now Verkada's super admin account that reportedly gave hackers — as well as more than 100 internal users — access to videos from tens of thousands of client cameras.
The list of massive security failures due to product or service architectures that give a single user or group unfettered privileges continues to grow. In the latest case, hackers gained access to a super admin account for the cloud service of security-camera startup Verkada, enabling them to view videos from nearly 150,000 cameras. Prisoners in county jails, factories for carmaker Tesla, and the offices of Internet-infrastructure firm Cloudflare were all viewable using privileged access, according to reports and hacker statements.
Accounts that have backdoor access to devices or unlimited service capabilities significantly undermine security — even more so as supply chain attacks have become more common, says Jeff Costlow, chief information security officer at ExtraHop, a cloud security firm.
"I'm OK with vendors having the ability to auto-update the device," he says. "That means they have control over the source code. But that doesn't mean that they have control over the device any time they want."
The massive breach of privacy of Verkada's customers highlights that companies — often, startups — have not always adopted best practices for privileged access to systems. The lesson is learned with regularity, often when a vendor's clients or customers have their security or privacy compromised.
A decade ago, for example, ride-share service Uber created a "God Mode" that gave administrators access to any Uber user's ride history, leading to a variety of abuses, including spying on the habits of celebrities, tracking reporters' movements, and stalking exes. Network and Internet of Things devices — from Cisco, Ubiquiti, and others — repeatedly have been found to have hard-coded or default passwords exposing the admin interface. And at the 2018 Black Hat Security Briefings, security research Christopher Domas demonstrated a way to gain Ring-0 privilege on older processors. While the technique was limited by the age of vulnerable processors, it demonstrated the prevalence of devices that have privileged access locked by a simple hard-coded secret.
"Backdoors built by default into a product with a standard reused secret is a dangerous thing," says Ray Canzanese, director of the threat labs at cloud security provider Netskope. "A leak of that secret means that anybody can now access any of those devices. And we, the industry, concluded long ago that is not a good approach to security."
Verkada issued an apology on Friday, acknowledging the breach of "video and image data from a limited number of cameras," but also suggested the company will retain the ability to view any client's video stream. The video service will, however, create a better approach to logging access to customers' data, has prioritized the hiring of security engineers, and has contracted with third-party security consultants to conduct a review, CEO Filip Kaliszan said in the statement.
"While we already have robust logging and audit capabilities, we will ensure that customers receive proactive notifications whenever their data is accessed by Verkada, including by our technical staff," Kaliszan said.
While many vendors retain some level of access to devices and services, suppliers should review what privileges are necessary to maintain their products and services and clearly communicate that to customers, says ExtraHop's Costlow.
While a managed service provider is explicitly given access to devices, most businesses do not expect vendors to have the same level of access. Any such access should have significant controls, restrictions, and auditing in place, he says.
"It is considered brittle security when you have one control protecting everything, and that is what appears to be the case here," Costlow says. "Once you have access to one [credential], you've got access to everything — that is an anti-pattern. That is not the way that it should be designed."
On Friday Swiss authorities raided the apartment and seized the electronic devices of Tillie Kottmann, the hacker responsible for sharing video and images of the compromise, according to a Bloomberg News report. Tweets posted to Kottmann's now-removed Twitter feed suggest the hacker and possible associates — using the moniker "APT-69420 Arson Cats" — had targeted the companies seemingly out of pique.
"APT-69420 wishes all companies affected a very have fun (sic) doing incident response," Kottmann tweeted, according to a detailed Cloudflare blog post responding to the incident.
The incident could have been much worse. Cloudflare, for example, said in its post that the breach only accessed the video cameras and that the company's implementation of a zero- trust architecture limited any breach.
"[I]f we had been using the old castle-and-moat style of corporate networking (where anything and anyone on the corporate network are inherently trusted) the outcome could have been different," stated John Graham-Cumming, chief technology officer at Cloudflare, in the blog post. "This is why Zero Trust is so powerful. It allowed us all to work from home because of COVID-19 and it means that an attacker who got into the office network doesn’t get any further."