Verkada CCTV Breach Exposes Hundreds Of Businesses

Verkada compromise of its CCTV system, sees hackers gain admin access to cameras inside Tesla, hospitals, police stations, prison etc

Hackers have compromised hundreds of businesses after gaining administration access to CCTV cameras installed in thousands of businesses.

The compromise has reportedly been confirmed by California-based Verkada, which provides cloud-based security camera services to a range of businesses.

According to Bloomberg, Verkada has 150,000 CCTV cameras in Tesla factories and warehouses, Cloudflare offices, Equinox gyms, hospitals, prison, schools, police stations, and Verkada’s own offices.


Verkada compromise

An international hacker collective reportedly breached the security-camera data collected by Verkada in order to demonstrate how commonplace the company’s security cameras are, and how easily hackable they are.

Bloomberg said the hackers able to view video from inside women’s health clinics, psychiatric hospitals and indeed the offices of Verkada itself.

Some of the cameras, including in hospitals, use facial-recognition technology to identify and categorise people captured on the footage.

The hackers reportedly said they also have access to the full video archive of all Verkada customers.

Bloomberg itself reported that it had viewed a video of a Verkada camera inside Florida hospital Halifax Health, which showed what appeared to be eight hospital staffers tackling a man and pinning him to a bed.

Another video, shot inside a Tesla warehouse in Shanghai, shows workers on an assembly line.

The hackers reportedly said they obtained access to 222 cameras in Tesla factories and warehouses.

Bloomberg cited one of the hackers as being Tillie Kottmann, who has previously claimed credit for hacking Intel and Nissan Motor Co.

Kottmann reportedly the reasons for the hacking by the collective are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”

Kottmann reportedly called the hacking collective “Advanced Persistent Threat 69420,” a reference to the designations cybersecurity firms give to state sponsored hacking groups and cybercriminals.

Kottmann said they were able to download the entire list of thousands of Verkada customers, as well as the company’s balance sheet. Kottman said hackers watched through the camera of a Verkada employee who had set one of the cameras up inside his home.

Verkada response

Verkada responded and said that it has notified law enforcement of the breach.

“We have disabled all internal administrator accounts to prevent any unauthorised access,” a Verkada spokesperson was quoted by Bloomberg in a statement. “Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”

A person with knowledge of the matter said Verkada’s chief information security officer, an internal team and an external security firm are reportedly investigating the incident.

Verkada is also reportedly working to notify customers and set up a support line to address questions.

“This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised,” San Francisco-based Cloudflare reportedly said in a statement. “The cameras were located in a handful of offices that have been officially closed for several months.”

The company said it disabled the cameras and disconnected them from office networks.

Prison hacked

The hackers were also able to gain access to 330 security cameras inside the Madison County Jail in Huntsville, Alabama.

Bloomberg said it had seen images that show that the cameras inside the jail, some of which are hidden inside vents, thermostats and defibrillators, and which can track inmates and correctional staff using the facial-recognition technology.

The hackers reportedly said they were able to access live feeds and archived video, in some cases including audio, of interviews between police officers and criminal suspects, all in the high-definition resolution (4K).

It is also reported that Verkada in October 2020 fired three employees, after reports surfaced that workers had used its cameras to take pictures of female colleagues inside the Verkada office and make sexually explicit jokes about them.