Footage and live feeds from 150,000 surveillance cameras, including those belonging to carmaker Tesla, have been accessed by hackers in a new data breach.
The attack saw the perpetrators access data collected by cloud-based camera management startup Verkada Inc. In addition to Tesla, the hackers compromised data from website security company CloudFlare, along with live feeds to hospitals, prisons, schools, and Verdaka’s offices themselves.
Tesla has said that the breach was limited to a supplier’s production site in China, with its Shanghai car factory and showrooms unaffected. It added that the factory’s data was stored locally and the breach posed no security risk. The cameras have since been stopped.
Some of the Verdaka’s customers utilise facial recognition software, meaning that people filmed by the cameras could potentially be identified and tracked.
The hackers claim to have accessed the company’s entire video archive. As part of the Tesla breach, they said had accessed 222 surveillance cameras in Tesla factories and warehouses. They warned that they could have used their control of the cameras to access other parts of Tesla’s networks.
In addition, the hackers claim to have accessed the full list of Verkada’s customers and its private financial information.
The company has not yet confirmed the scale of the attack. Currently, it is working with an external security firm to investigate the incident. The company has set up a support line and is currently notifying affected customers. It has also notified law enforcement.
One of the victims, Cloudflare, said: “This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised. The cameras were located in a handful of offices that have been officially closed for several months.” The cameras have been disabled and disconnected, the company added.
- Do you know what cybersecurity threats lurk behind those QR codes?
- Malware on Google Play Store apps let attackers takeover phones
- Scot-Secure 2021 Virtual Summit | Just two weeks to go!
According to Tillie Kottmann, a member of the international hacker collective behind the breach, the attack aimed to show how pervasive the use of surveillance cameras is, along with how easy it is for systems to be broken into.
The attackers used a username and password they found publicly on the internet to gain “Super Admin”-level access to Verkada’s system.
Their reason for the hack, according to Kottmann, was “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism – and it’s also just too much fun not to do it”.
They added that the hack “exposes just how broadly we’re being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit.”
Kottmann has previously found security flaws in mobile apps and other systems.
The hacker collective shared the footage with the media, including Bloomberg and Reuters.
Since becoming aware of the hack, Verkada cut the hackers’ access to the company’s video feeds.
Global Head of Product Security at F-Secure Thierry Decroix commented: “Networked IP cameras are notorious for their limited technical security and aren’t made to withstand the modern threat landscape. Poor security practices can lead to extensive breaches as demonstrated by how easy this threat actor was able to gain access to all cameras by finding the Super Admin account password on the internet through OSINT means.
“Inadequate security protocols can also mean vulnerabilities allow attackers to do pretty much whatever, performing malicious activity inside the network and outside, against other parties. It’s therefore important that any organisation purchasing technology products like this considers assessing their security standards before deployment, to adequately understand the risk they are exposing themselves to and allow necessary mitigations or secure alternatives to be put in place prior to roll-out.
“For vendors that are creating and selling technology products of any kind, this incident demonstrates the importance of proper security reviews during the product engineering process and of adhering to security best practices, which are no longer optional in 2021”.
Join the Debate: ScotSecure 2021
The evolution of cybersecurity and data protection will be key areas of discussion at the upcoming Scot-Secure Cybersecurity Conference on March 24-25th.
Hear from leading experts from across the cybersecurity sector and explore the crucial issues.
Register your free place now at: https://www.scot-secure.com