What is the impact of the Verkada hack?
The news was hard to miss. Bloomberg reported March 9th of 2021 that hackers gained access to 150,000 customer camera feeds. Hackers gained access to over 150,000 of the company’s cameras, including cameras in Tesla factories and warehouses, Cloudflare offices, Equinox gyms, hospitals, jails, schools, police stations, and Verkada’s own offices.
The Verge reports: According to Tillie Kottmann, one of the members of the international hacker collective that breached the system, the hack was meant to show how commonplace the company’s security cameras are and how easily they’re able to be hacked. In addition to the live feeds, the group also claimed to have had access to the full video archive of all of Verkada’s customers. The hack was apparently relatively simple: the group managed to gain “Super Admin”-level access to Verkada’s system using a username and password they found publicly on the internet. From there, they were able to access the entire company’s network, including root access to the cameras themselves, which, in turn, allowed the group to access the internal networks of some of Verkada’s customers.
Verkada has confirmed the breach on March 10th of this year and announced immediate security measures were taken. The next day the company responded more elaborately:
First, we have identified the attack vector used in this incident, and we are confident that all customer systems were secured as of approximately noon PST on March 9, 2021. If you are a Verkada customer, no action is required on your part.
The attack targeted a Jenkins server used by our support team to perform bulk maintenance operations on customer cameras, such as adjusting camera image settings upon customer request. We believe the attackers gained access to this server on March 7, 2021 and maintained access until approximately noon PST on March 9, 2021. In gaining access to the server, the attackers obtained credentials that allowed them to bypass our authorization system, including two-factor authentication.
We are continuing to investigate the incident, and we are contacting all affected customers. At this point, we have confirmed that the attackers obtained the following:
- Video and image data from a limited number of cameras from a subset of client organizations
- A list of our client account administrators, including names and email addresses. This list did not include passwords or password hashes.
- A list of Verkada sales orders. Sales order information is used by our Command system to maintain the license state of our customers. This information was obtained from our Command system and not from other Verkada business systems.
At this time, we have no evidence that the breach compromised the following:
- User passwords or password hashes
- Verkada’s internal network, financial systems, or other business systems
We can also confirm that the attackers gained access to a tool that allowed the execution of shell commands on a subset of customer cameras; however we have no evidence at this time that this access was used maliciously against our customers’ networks. All shell commands issued through our internal tool were logged.
In addition to our internal response team, we have retained two external firms, Mandiant Solutions and Perkins Coie, to conduct a thorough review of the root cause of this attack and support our efforts to ensure internal security. We also notified the FBI, who are assisting us in this investigation.
Within our community we often debate the pros and cons of cloud based security systems, Arguments against the use of cloud based security systems often relate to two major considerations:
- Hosting a security system in the cloud would make it more vulnerable for outside attacks.
- Hosting multiple clients in one infrastructure implies a single point of failure for all clients of the vendor that is offering and managing the cloud based security.
It is obvious that information security or cybersecurity must be taken enormously serious by vendors and their clients when embracing cloud based topologies.
The advantages of cloud based toplogies are undisputed. Modern security systems are not limited in space and time. Multiple sites, often situated in various continents, can be part of these systems. And information and functionality is accessible at any time from any place using smart devices. And the deployment of the system and the software maintenance are simplified, lowering the TCO. These advantages have driven the industry to embrace the concept of cloud based systems.
Incidents will happen. This will not be the last major breach that we will witness. But if the vendor of cloud based security systems want to further grow their market share, it is clearly of the upmost importance that suppliers and their customers make sure that deployed solutions are not only secure by design, but are also managed professional, serious, strict and with a sense of duty. The human element may very well be the most important security risk.
Cloud based topologies are used for video surveillance, access control, identity management, identification systems, intercom and many othern security applications. Breaches and hacks like the Verkada hack remind us of the vulneravilities and risks involved. A lesson we should all take serious.