Hackers have broken into a security camera company in Silicon Valley, spying on real-time surveillance camera footage from inside Sandy Hook school, Equinox gyms, hospitals, police stations, prisons and a Tesla factory in Shanghai.
The hackers were part of an international group, and begun their attack on Verkada on Monday morning, they said.
Tillie Kottmann, one of the hackers, told Bloomberg they did it for fun, and accessed 150,000 cameras.
‘Lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism – and it’s also just too much fun not to do it,’ Kottmann said.
A group of computer hackers have accessed 150,000 security cameras owned by Verkada
The Silicon Valley-based startup (pictured) say they now have the attack under control
Verkada told Bloomberg that they have now blocked the hackers’ access.
The hackers said that, when Bloomberg approached Verkada for comment, their access was suddenly cut.
‘We have disabled all internal administrator accounts to prevent any unauthorized access,’ a Verkada representative said in a statement.
Verkada offer a range of internet-accessible surveillance cameras for the home and office
‘Our internal security team and external security firm are investigating the scale and scope of this potential issue.’
Verkada, founded in 2016, sells security cameras that customers can access and manage through the web.
In January 2020, it raised $80 million in venture capital funding, valuing the company at $1.6 billion.
The hackers gained access to Verkada through a ‘Super Admin’ account, allowing them to peer into the cameras of all of its customers.
Kottmann said they found a user name and password for an administrator account on the internet.
A source within the company told Bloomberg that Verkada’s chief information security officer, an internal team and an external security firm are investigating the incident.
The company is said to be working to notify customers and set up a support line to address questions.
Verkada’s cameras were accessed on Monday morning, the hacking group told Bloomberg
Calling themselves ‘Advanced Persistent Threat 69420’ – a reference to the designations cybersecurity firms give to state sponsored hacking groups and criminal cybergangs – the group even accessed footage showing a live feed of Verkada’s offices.
Some of the cameras, including in hospitals, use facial-recognition technology to identify and categorize people captured on the footage.
The hackers say they also have access to the full video archive of all Verkada customers, and some audio.
In a video seen by Bloomberg, a Verkada camera inside Florida hospital Halifax Health showed what appeared to be eight hospital staffers tackling a man and pinning him to a bed.
At Wadley Regional Medical Center, a hospital in Texarkana, Texas, hackers say they looked through Verkada cameras pointed at nine ICU beds.
Hackers also say they watched cameras at Tempe St. Luke’s Hospital, in Arizona, and were also able to see a detailed record of who used Verkada access control cards to open certain doors, and when they did so.
Another video, shot inside a Tesla warehouse in Shanghai, shows workers on an assembly line.
The hackers said they obtained access to 222 cameras in Tesla factories and warehouses.
The hackers also obtained access to Verkada cameras in Cloudflare offices in San Francisco, Austin, London and New York.
Hackers had access to live feeds from the cameras until Bloomberg asked Verkada for comment
The cameras at Cloudflare’s headquarters rely on facial recognition, according to images seen by Bloomberg.
Inside a police station in Stoughton, Massachusetts, a man in handcuffs is being questioned, in a clip also seen by Bloomberg.
Also available to the hackers were 330 security cameras inside the Madison County Jail in Huntsville, Alabama.
Cameras inside the jail were hidden inside vents, thermostats and defibrillators, and used to track inmates and correctional staff using the facial-recognition technology.
They accessed 17 cameras inside Arizona’s Graham County detention facility and found that videos were given titles by the center’s staff and saved to a Verkada account.
One video, filmed in the ‘Commons Area,’ is titled ‘ROUNDHOUSE KICK OOPSIE.’
A video filed inside the ‘Rear Cell Block’ is called ‘SELLERS SNIFFING/KISSING WILLARD???’
Another video, filmed inside ‘Drunk Tank Exterior’ is titled ‘AUTUMN BUMPS HIS OWN HEAD.’
Two videos filmed from ‘Back Cell’ are titled ‘STARE OFF – DONT BLINK!’ and ‘LANCASTER LOSES BLANKET.’
Kottmann said their group was able to obtain ‘root’ access on the cameras, meaning they could control the cameras or hijack them to launch a future attack.
The hack ‘exposes just how broadly we’re being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit,’ Kottmann said.
‘It’s just wild how I can just see the things we always knew are happening, but we never got to see.’