Verkada, a security start-up focused on cloud-based security cameras, disclosed suffering a major security breach; hackers gained access to over 150,000 security cameras. These cameras include those in Tesla factories, Cloudflare offices, Equinox gyms, hospitals, jails, schools, and police stations.
Surprisingly, the hackers behind the attack actually announced their culpability on Twitter: Tillie Kottmann of the APT 69420 Arson Cats (a hacker collective) stated the intention was to demonstrate the vulnerability of the cloud-based cameras. Additionally, the group claims to have gained access to Verkada’s full video archive for all of its customers.
According to reports, the hacker group gained this access via a privileged account, the username and password of which was available publicly on the Internet. This granted them the root access necessary to conduct the cyber-attack. At the time of writing, Verkada is attempting to regain control over their live feeds and archive.
For further perspective on this breach, which raises both identity management and physical security issues, we consulted some cybersecurity experts.
Expert Commentary on the Verkada Breach
Ray Canzanese is Director of Netskope Threat Labs.
“Unfortunately, we see a lot of companies who don’t apply multi-factor authentication to super-admin accounts with root privileges. This type of hack is preventable if companies have tighter control over super admin credentials to prevent leaks, use multi-factor authentication to prevent leaked or stolen credentials from being used, and monitor access to detect things like failed log-in attempts which can be a precursor to unauthorized access. These types of attacks are becoming more common as more organizations move to cloud and don’t have the policies or measures in place to secure a cloud-first environment.”
Patrick Hunter is Sales Engineering Director for EMEA at One Identity.
“Every computer system in the cloud has one major weakness. In the case of Verkada, they are holding data that has the most public shock factor, video surveillance. What did Verkada do wrong? They allegedly didn’t have control over the one account they needed to. It is possible that the account wasn’t monitored and that the password wasn’t regularly changed on a rotation basis, but the biggest error was underestimating the power of one single account to undo their business and grant access to everyone’s data. At the very least, there should have been some form of multi-factor authentication or password vault to protect the account. Whenever an admin accessed it, they would have to prove that they were who they said they were, which is a simple, cheap, and effective first line of defense.
Locking away the password completely in a vault is one solution and the admins have to “break glass” to get it out, or even better just offer the admins a session that they can use without ever knowing a password. This makes it more difficult to hack as no one knows the password and it will be encrypted in a deeply secured vault. Password vault and session management systems like this are almost mandatory in today’s GDPR embrace and there is no excuse for ignorance. Anyone that stores their data on the internet has to expect their security to be tested at some point. You cannot keep your head in the sand and take the risk anymore, as fines and repercussions have real teeth.”
Garret Grajek is CEO of YouAttest.
“Though there are advanced state groups attacking our systems as SolarWinds and the Accellion attack surely demonstrate, the Verkada breach does not appear to be one of them. What enterprises need to understand is we need to start with security 101. That starts with changing ALL default passwords, especially the admin account passwords. A quantified/verified system to manage and change these passwords is recommended as is turning on two-factor authentication when possible.”
“We simply cannot make it this easy for hackers to enter our systems. We must remember – all our systems are being scanned all the time. Especially if a system has a published vulnerability.”
Saryu Nayyar (she/her) is CEO of Gurucul.
“The Verdaka breach appears to stem from inadvertently leaving an Admin level password exposed. If true, it points to a policy failure and a lack of adequate access controls. While the attackers claim to be up to a bit of mischief rather than disruptive crime, it is still illegal.
Verdaka will need to review their access policies and their security stack to make sure they have the right defenses in place, including security analytics, to make sure another breach like this doesn’t happen in the future.”
Bryson Bort is CEO of SCYTHE.
“This happened because of an insider threat. Employees at Verdaka had Super Admin privileges which allowed them access to all cameras— this means they could spy on customer feeds without their knowledge. The Super Admin password was leaked publicly. This is an example of bad security practices and the erosion of trust and privacy with customers. Customers depend on companies to do the right thing with ubiquitous always-on and connected devices because there is no way for them to know what’s really happening.”
- The Best Books for Identity Security Available Now - September 16, 2021
- Authentication Apps: Best of 2021 and Beyond from Solutions Review - September 15, 2021
- Authentication Platforms: Best of 2021 and Beyond from Solutions Review - September 14, 2021