A CCTV camera biz which left an admin account username and password exposed on the World Wide Web has, you guessed it, been targeted by hacktivists.
Verkada, makers of internet-connected surveillance devices, had around 150,000 cameras and archive footage accessible through its web infrastructure when unauthorised folk went poking about.
Those cameras belonged to a whole host of organisations, according to the Bloomberg financial newswire, including: Tesla; Cloudflare; hospitals; police stations; prisons and, allegedly, more.
The breach has been reportedly shut off, with a Verkada spokesman quoted as saying: “Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”
Cloudflare said in a statement the cameras in its premises that the hacktivists accessed “were located in a handful of offices that have been officially closed for several months” and also added something incomprehensible about “zero trust” being relevant to cameras deployed in its offices and aimed at its employees. The devices have now been disconnected.
Tesla told the Reuters newswire that the hacktivists viewed one Chinese production plant and not its showrooms in Shanghai, though the distinction was not explained.
Bloomberg also said it had been shown video footage of facial-recognition technology being operated covertly inside a US prison in Alabama. Britain’s Daily Telegraph reported that the NHS was a Verkada customer, though it did not say whether the hacktivists had been viewing UK surveillance footage.
The global infosec industry fell over itself this afternoon to speek itz branes about the breach.
“While the true motivation of the group remains hidden, it looks like cyber activism – a breach aiming to expose the poor security of CCTV cameras. However, keep in mind that these compromised devices could also be used to install malware and start DDoS attacks, as well as infiltrate connected networks – with profit to be gained,” opined Candid Wüest, Acronis’ cybersecurity research veep.
Kelvin Murray, a senior threat research analyst at Webroot, commented: “Online cameras have been a favourite hacker hobby for years but it is rare to hear of a security camera company being owned in this fashion, especially one with such high-profile clients. Thankfully for the victims, on this occasion the attackers seem to be more interested in vandalism and were fairly open about their activities.”
While some might baulk at the scale of digital surveillance revealed here, arguments against the digital panopticon were fought hard (and lost comprehensively) in the 2000s; these breaches are now a fact of life in the 21st century.
Numerous reports listed well-known hacktivist Tillie Kottmann as being partly responsible for the pwning of Verkada. We have asked Kottmann for comment. ®