Hacktivists made their way into the servers of a company called Verkada, a California-based enterprise security solution provider with multiple high-profile clients such as Tesla, Cloudflare, and luxury gym chain Equinox. The hackers had access to thousands of video feeds for about 48 hours. They did not cause any damage and claimed they only accessed the company’s servers to raise awareness about the dangers of mass surveillance. Verkada acknowledged the breach and highlighted that they do not have evidence that there have been any malicious actions against its customers.
A Swiss national named Tillie Kottmann, one of the hackers who claimed credit for the attack, said that they made their way into the company servers by posing as an employee with “Super Admin” rights. The attack appears not to have been very sophisticated, as the hacktivist says members of the hacker group APT-69420 Arson Cats simply stumbled upon the login details for the administrator account while browsing the internet. Then gaining access to the live feeds was a relatively easy task for the hacktivists.
Tillie Kottmann, whose personal blog says she loves to reverse engineer, explore and learn new frameworks, said in a statement to Security Info Watch that she generally dislikes any surveillance. She also added that if companies need to do it, they should not use a centralized cloud platform of VC-funded startups with more sales employees than customers. Twitter permanently suspended Kottmann’s account.
This cyber incident brings a whole lot of questions such as; why administrator login details were sitting on the web; why the tech startup has had “Super Admin” rights provided to its 100+ employees that include 20-year-old interns; why the camera has built-in backdoors; and how come security failed to prevent the attack for two days allowing the hacktivists to access a root shell on any camera of any customer at the click of a button without exploiting any flaws or vulnerabilities.
The cameras have sometimes been aimed at ICU beds in hospitals and other sensitive places in county jails, police departments, schools, and assisted living facilities. The hackers even had unobstructed access to the archives of those camera feeds. In many cases, the cameras were equipped with facial-recognition technology that identifies people and records in ultra-high-definition video. Employees have had access to those feeds for years.
Millions of security cams are sold globally every year. With the protests that ravaged the country over the last year and the ongoing Covid-19 pandemic, people have been buying more security systems than ever. Can those be trusted? No one knows for sure. However, such breaches prove that it is very likely there are other security companies with relaxed measures out there. This means that you probably should not point cameras to sensitive places in your house or work unless absolutely necessary – you never know if a bored teenage hacker located on the other side of the world is not watching the feed.