Hackers gain access to over 150 000 security cameras

Hacktivists claim to have broken into the network of Verkada, a video security solution provider, gaining access to live feeds from over 150 000 surveillance cameras the organisation manages for Cloudflare, Tesla and many others, in schools, hospitals, jails and more.

First reported by Bloomberg, the breach was carried out by an international ‘hacktivist’ collective called APT 69420 Arson Cats, with the apparent aim of highlighting the pervasiveness of video surveillance, as well as the ease with which these systems could be compromised.

One of the hackers, Tillie Kottmann, who previously claimed credit for hacking Intel and Nissan, said their reasons for hacking were “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism – and it’s also just too much fun not to do it”.

The collective published videos and images they claimed were taken from offices, warehouses and factories of those companies, as well as from jail cells, psychiatric wards, banks and schools. Footage viewed by a Bloomberg reporter showed employees at Florida hospital Halifax Health grappling with a man and pinning him to a bed. In another video, a handcuffed man was shown in a police station in Massachusetts, being questioned by officers.

“I don’t think the claim ‘we hacked the Internet’ has ever been as accurate as now,” added Kottmann.

According to Kottmann, the hack was made possible when Verkada exposed an unprotected internal development system on the Web, which contained credentials for an account that had super admin rights to the company’s network.

Once the hackers had gained a foothold on the network, they were able to access feeds from 150 000 cameras, some of which featured high-definition video and employed facial recognition.

In a statement, a Verkada spokesperson said: “We have disabled all internal administrator accounts to prevent any unauthorised access. Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”

A Cloudflare representative wrote: “This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised. The cameras were located in offices that have been officially closed for nearly a year. As soon as we became aware of the compromise, we disabled the cameras and disconnected them from office networks. To be clear, no customer data or processes have been impacted by this incident.”

Ilia Kolochenko, founder and CEO at ImmuniWeb, commented: "This incident will likely trigger an avalanche of legal and judicial costs for the affected companies as the leak of such data is a reportable security incident under many state and federal laws. Moreover, individual notifications to the exposed victims filmed by the compromised cameras, or even notifications by a press release, may be required as a matter of law depending on the specific usage and location of the branched cameras.”

He says the US has already enacted a federal law to prevent unsecured IOT devices from being supplied to the Federal government via the “IOT Cybersecurity Improvement Act” in 2020. States such as California and Oregon also pioneered state regulation of IOT security by enacting state laws. The California law is quite comprehensive from a technical viewpoint, but is comparatively toothless: individuals cannot sue under the law and there are no fixed monetary penalties like under CCPA/CPRA, which serve as a formidable deterrence for those who misuse personal data of the state citizens.

"In Europe, ENISA recently published a standard for the security of IOT devices; however, it has no legally binding power. To avoid domino-effect hacks of this nature, we urgently need a harmonious IOT data security legislation both in the US and EU.

“The current 'patchwork' of disjoint laws is confusing, burdensome and inefficient,” Kolochenko ended.