Experts Reaction On Verkada Hack Affecting 150,000 Of Its Security Cameras

In relation to the news that security firm Verkada, is investigating a massive hack said to have affected 150,000 of its security cameras, where the security company provides cameras to companies including carmaker Tesla and stolen footage included the insides of hospitals, schools, and businesses; cybersecurity experts reacted below.

Experts Comments

March 11, 2021
Simon Mullis
Chief Technology Officer
Venari Security

This breach demonstrates how crucial it is for businesses that hold sensitive data to keep it private and stored securely.

 

Cyber attackers are becoming increasingly more targeted and sophisticated with their methods of attack. So, it’s vital businesses are aware of this, as simple steps can be put in place by any company that experiences a data breach to help prevent it happening again. This includes ensuring full visibility of company endpoint devices and securing cloud networks to block

.....Read More

This breach demonstrates how crucial it is for businesses that hold sensitive data to keep it private and stored securely.

 

Cyber attackers are becoming increasingly more targeted and sophisticated with their methods of attack. So, it’s vital businesses are aware of this, as simple steps can be put in place by any company that experiences a data breach to help prevent it happening again. This includes ensuring full visibility of company endpoint devices and securing cloud networks to block unauthorised access to customer data.

 

Additionally, having a company culture which prioritises cybersecurity and encourages business stakeholders to work regularly in partnership with IT and security professionals can also act as an effective preventative measure.

 

When offering a service which involves handling sensitive data, having adequate cyber defences in place is of the utmost importance.

  Read Less
March 12, 2021
Bryan Embrey
Product Marketing
Zentry Security

In this case, hackers used relatively unsophisticated methods to penetrate Verkada’s systems.  However, it illustrates that this attack could have been prevented by using zero trust techniques like multi-factor authentication, which requires more than a simple username and password to gain access.  Moreover, this attack spotlights the extent of resources that can be exfiltrated if an attack is successful – not only nearly 150,000 camera feeds, but records of 24,000 Verkada customers, and

.....Read More

In this case, hackers used relatively unsophisticated methods to penetrate Verkada’s systems.  However, it illustrates that this attack could have been prevented by using zero trust techniques like multi-factor authentication, which requires more than a simple username and password to gain access.  Moreover, this attack spotlights the extent of resources that can be exfiltrated if an attack is successful – not only nearly 150,000 camera feeds, but records of 24,000 Verkada customers, and Verkada company records and financial statements.  It is imperative that organizations deploy zero trust mechanisms today to reduce the chance of unauthorized network access.

  Read Less
March 12, 2021
Josh Bohls
Founder
Inkscreen

While this breach is related to IoT security cameras, it underscores the importance of protecting and managing multimedia content (photos, videos, audio recordings) that employees capture. This is especially critical when it comes to mobile devices; the photos and videos captured on the job are often left unprotected and outside the sphere of IT control.

March 11, 2021
Patrick Hunter
Sales Engineering Director, EMEA
One Identity

Every computer system in the cloud has one major weakness. The password to access the accounts that matter most. In the case of Verkada, they are holding data that has the most public shock factor, video surveillance. Everyone will be wondering what the impact is on them personally along with the companies directly affected. What did Verkada do wrong?  Well, they allegedly didn’t have control over the one account that they needed to. It is possible that the account wasn’t monitored

.....Read More

Every computer system in the cloud has one major weakness. The password to access the accounts that matter most. In the case of Verkada, they are holding data that has the most public shock factor, video surveillance. Everyone will be wondering what the impact is on them personally along with the companies directly affected. What did Verkada do wrong?  Well, they allegedly didn’t have control over the one account that they needed to. It is possible that the account wasn’t monitored and that the password wasn’t regularly changed on a rotation basis. But the biggest error was underestimating the power of one single account to undo their business and grant access to everyone’s data. At the very least, there should have been some form of multifactor authentication to protect the account. Whenever anyone accessed it, they would have to prove that they were who they said they were.  Simple, cheap and effective as a first line of defence.

 

Once a hacker is inside, however, there is little to stop them without further controls. Locking away the password completely in a vault is one solution and the admins have to “break glass” to get it out, or even better just offer the admins a session on their screen that they can use without ever knowing a password.  Therefore, there is nothing to hack as no one knows the password and it will be encrypted in a deeply secured vault.

 

Password vault and session management systems like this are almost mandatory in today’s GDPR – defined landscape and there is no excuse for ignorance.  This exact scenario has been widely documented and even seen in modern fiction (“Invasion of Privacy” – Ian Sutherland). It isn’t that video surveillance companies that store their data in the cloud, are easy to break, I feel it has much more impact to the public.  Anyone that stores their data in the internet has to expect their security to be tested as some point.  You cannot keep your head in the sand and take the risk any more, as fines and repercussions have real teeth.

 

Access to the video data is one thing but the hackers won’t be able to use Verkada’s code to run facial recognition against it unless they had access to the client software. However, with that said, any data stored about personnel that have been recognised and then documented may be fair game. 

 

How many people haven’t changed their home systems passwords? Ring, Nest, etc. doorbells?  All with facial recognition and all much more personal and close to home and all potential targets.  I bet everyone will change their own passwords after reading stories like this.  As we’ve seen that is only half the story, if the back end systems aren’t maintained and using mechanisms, as above, to protect the master and super user passwords then it’s in vain.

  Read Less
March 11, 2021
Sam Curry
Chief Security Officer
Cybereason

The reports of the hacktivist breach of more than 150,000 surveillance cameras used inside Tesla's warehouses, police stations, jails and hospitals around the world, is a reminder that even though recent nation-state cyber attacks on SolarWinds and Microsoft Exchange Servers are garnering headlines, hacktivist groups are still players in the global cyber ecosystem. This isn't a one-time breach as this international group of hacktivists have claimed responsibility for other breaches in the past.

.....Read More

The reports of the hacktivist breach of more than 150,000 surveillance cameras used inside Tesla's warehouses, police stations, jails and hospitals around the world, is a reminder that even though recent nation-state cyber attacks on SolarWinds and Microsoft Exchange Servers are garnering headlines, hacktivist groups are still players in the global cyber ecosystem. This isn't a one-time breach as this international group of hacktivists have claimed responsibility for other breaches in the past. It makes no difference if the motives of any threat actor are social, political or financial in nature, when crimes are committed and laws broken. It is also a reminder how vast the threat landscape is. This breach appears to have been preventable if the administrator's username and password weren't exposed on the Internet. Preventative medicine starts when user credentials are frequently updated and security awareness training is regularly offered. Today, there are more than 1 billion surveillance cameras in use around the world and security is an afterthought in many of them, resulting in spying and unlawful monitoring of unsuspecting victims.

  Read Less
March 11, 2021
Asaf Hecht
Cyber Research Team Leader
CyberArk

The potential for breaching common IoT devices, like security cameras, is something we’ve been talking about for years. Cameras, much like other hardware devices, are often manufactured with built-in or hard coded passwords that are rarely, if ever, changed by the customer.

 

While we can’t be sure that’s what happened in this case, recent breaches certainly have ‘scale’ in common, demonstrating attackers’ growing confidence and precision – and ability to efficiently extrapolate

.....Read More

The potential for breaching common IoT devices, like security cameras, is something we’ve been talking about for years. Cameras, much like other hardware devices, are often manufactured with built-in or hard coded passwords that are rarely, if ever, changed by the customer.

 

While we can’t be sure that’s what happened in this case, recent breaches certainly have ‘scale’ in common, demonstrating attackers’ growing confidence and precision – and ability to efficiently extrapolate weaknesses for impact. And while Verkada reportedly took the right steps to disable all internal administrator accounts to prevent any unauthorized access, it was likely too late. The attackers had already landed.

 

“Based on what’s been reported, this attack follows a well-worn attack path – target privileged accounts with administrative access, escalate privileges to enable lateral movement and obtain access to highly sensitive data and information – effectively completing the intended goal. What we’ll need to especially watch in this case is the potential for far-reaching implications for privacy regulations including HIPAA.”

  Read Less
March 11, 2021
Jake Moore
Cybersecurity Specialist
ESET

More and more security camera footage is stored online, but most of this has little protection from persistent attackers. Such footage needs to be highly secured in order to remain private and safe from extortion or other types of data leak. One way around this is to question if security footage really needs to be stored online. Malicious actors will always attempt to target any sensitive data stored in the cloud, so if there is a way to store it offline, businesses should consider this option.

.....Read More

More and more security camera footage is stored online, but most of this has little protection from persistent attackers. Such footage needs to be highly secured in order to remain private and safe from extortion or other types of data leak. One way around this is to question if security footage really needs to be stored online. Malicious actors will always attempt to target any sensitive data stored in the cloud, so if there is a way to store it offline, businesses should consider this option. Then, it is completely off the radar and safer. However, if the footage must remain online, it is vital to protect it via multi factor authentication, complex passwords, and limited personnel access.

  Read Less
March 11, 2021
Mark Bower
Senior Vice President
comforte AG

The new generation of high-tech growth innovators born in the cloud and disrupting industry can’t rely on more only traditional security approaches based on perimeter controls, container or transit encryption, especially given the backdrop of increasingly complex data privacy regulations. One of the challenges is that while cloud backbones provide the basic container and pipe data security, gaps in data lifecycle protection can result in exploits, accidents or unauthorized access, especially

.....Read More

The new generation of high-tech growth innovators born in the cloud and disrupting industry can’t rely on more only traditional security approaches based on perimeter controls, container or transit encryption, especially given the backdrop of increasingly complex data privacy regulations. One of the challenges is that while cloud backbones provide the basic container and pipe data security, gaps in data lifecycle protection can result in exploits, accidents or unauthorized access, especially as data is moved from operational platforms to data engineering analytics systems.

 

In this breach, it’s been reported that both video as well as personal financial data was compromised. So whether its digital data, or personal data, every company processing, using and storing personal or personal identity-related data has to think about a modern data-centric approach to secure it comprehensively well beyond the reach of traditional controls which were evaded in this compromise.

  Read Less
March 11, 2021
Adam Enterkin
SVP, EMEA
BlackBerry

The hack on Verkada's camera systems is a warning to even the most innovative of companies, and shows that data security and privacy must come first. Those without fully up to date cybersecurity to protect networks are playing with fire in today's volatile threat landscape.

 

This episode should serve as an important wake-up call for all those who have a role to play in securing critical embedded systems. Securing everything means just that: every camera, sensor, or device must have secure

.....Read More

The hack on Verkada's camera systems is a warning to even the most innovative of companies, and shows that data security and privacy must come first. Those without fully up to date cybersecurity to protect networks are playing with fire in today's volatile threat landscape.

 

This episode should serve as an important wake-up call for all those who have a role to play in securing critical embedded systems. Securing everything means just that: every camera, sensor, or device must have secure endpoint protection, or else entire networks can be breached.

 

Threat actors will stop at nothing to cause harm. This requires an equal and opposite cybersecurity response. Worldwide, teams are under significant pressure and critically understaffed but all organisations, regardless of innovative ability, can benefit from artificial intelligence to bolster teams, automate repetitive tasks and flag potentially devastating threats.

  Read Less
March 11, 2021
Bryson Bort
Founder & CEO
SYTHE

This happened because of an insider threat. Employees at Verdaka had Super Admin privileges which allowed them access to all cameras— this means they could spy on customer feeds without their knowledge. The Super Admin password was leaked publicly. This is an example of bad security practices and the erosion of trust and privacy with customers. Customers depend on companies to do the right thing with ubiquitous always-on and connected devices because there is no way for them to know what’s

.....Read More

This happened because of an insider threat. Employees at Verdaka had Super Admin privileges which allowed them access to all cameras— this means they could spy on customer feeds without their knowledge. The Super Admin password was leaked publicly. This is an example of bad security practices and the erosion of trust and privacy with customers. Customers depend on companies to do the right thing with ubiquitous always-on and connected devices because there is no way for them to know what’s really happening.

  Read Less
March 11, 2021
Saryu Nayyar
CEO
Gurucul

The Verdaka breach appears to stem from inadvertently leaving an Admin level password exposed.  If true, it points to a policy failure and a lack of adequate access controls. While the attackers claim to be up to a bit of mischief rather than disruptive crime, it is still illegal.

 

Verdaka will need to review their access policies and their security stack to make sure they have the right defenses in place, including security analytics, to make sure another breach like this doesn't happen in

.....Read More

The Verdaka breach appears to stem from inadvertently leaving an Admin level password exposed.  If true, it points to a policy failure and a lack of adequate access controls. While the attackers claim to be up to a bit of mischief rather than disruptive crime, it is still illegal.

 

Verdaka will need to review their access policies and their security stack to make sure they have the right defenses in place, including security analytics, to make sure another breach like this doesn't happen in the future.

  Read Less
March 11, 2021
Mark Sangster
Vice President and Industry Security Strategist
eSentire

The Verkada infiltration and resulting exposure of sensitive and embarrassing video from software firms, auto manufacturers, law enforcement and healthcare facilities brings home the risks associated with internet-connected devices. The Internet-of-things (IoT) is not limited to consumer-grade household devices, but mission critical surveillance systems, patient management, heavy machinery control, and so on. As companies adopt these technologies as a means of optimizing their operations, it's

.....Read More

The Verkada infiltration and resulting exposure of sensitive and embarrassing video from software firms, auto manufacturers, law enforcement and healthcare facilities brings home the risks associated with internet-connected devices. The Internet-of-things (IoT) is not limited to consumer-grade household devices, but mission critical surveillance systems, patient management, heavy machinery control, and so on. As companies adopt these technologies as a means of optimizing their operations, it's imperative that they understand the risk and take measures to mitigate them.

 

And vendors need to understand the obligations and particular risks of their clients. Vendors also need to assume they are a target of cybercrime as a means to an end, including infiltrating or damaging their intended targets. In an interconnected world, you are only as strong as the weakest link. Security is more than a promissory statement about intention, or boilerplate content on a website. Zoom learned that when the FTC came calling after marketing collateral outpaced its technical capabilities. This event might be more misdemeanour than felony. The stakes are too high for checkbox approaches to security. The SolarWinds attack demonstrated criminal behavior capable of infiltrating a vendor, infecting its source code, and covering their tracks. And even video surveillance files expose confidential information and manufacturing secrets that can be resold and undermine the value of a specific business, or damage the country's ability to compete on a global stage.

 

Industrial IoT requires the same care and attention as the traditional, unconnected counterparts. Safety standards and laboratory focus on physical risks like injury. Take for example an electrical appliance. Devices are classified by risk, and labels provide clear warnings to the user about safe operation. Where is the same standard for the cyber risks? We need to develop a system that classifies cyber risk and mandates specific controls and safety features to mitigate these risks. This includes access to source code and cloud services with super admin credentials. Security controls exist today to restrict access to critical systems, and provide time windows and task-based access that tracks access and reduces the risk of hyper-access infiltration and resulting breaches.

  Read Less
March 11, 2021
Kelvin Murray
Senior Threat Research Analyst
Webroot

Online cameras have been a favourite hacker hobby for years but it is rare to hear of a security camera company being owned in this fashion, especially one with such high-profile clients. Thankfully for the victims, on this occasion the attackers seem to be more interested in vandalism and were fairly open about their activities.

 

Although this hack was relatively straightforward it is often much easier to hack IoT and online camera set-ups in smaller businesses and everyone should be aware of

.....Read More

Online cameras have been a favourite hacker hobby for years but it is rare to hear of a security camera company being owned in this fashion, especially one with such high-profile clients. Thankfully for the victims, on this occasion the attackers seem to be more interested in vandalism and were fairly open about their activities.

 

Although this hack was relatively straightforward it is often much easier to hack IoT and online camera set-ups in smaller businesses and everyone should be aware of the threats this attack vector poses.

  Read Less
March 11, 2021
Kyle Walker
Cybersecurity Regional Manager
A&O IT Group

The fact that it was this easy for a hacking group to get into Verkadas systems is frightening and the hacker group’s intention was to expose these sorts of vulnerabilities in the first place.

 

I do not think that people are always aware how exactly we are exposed through surveillance companies like Verkada, we know that there is someone on the other side watching, but what about those that think these feeds are private to the outside world?

 

Another disturbing fact of this breach is that the

.....Read More

The fact that it was this easy for a hacking group to get into Verkadas systems is frightening and the hacker group’s intention was to expose these sorts of vulnerabilities in the first place.

 

I do not think that people are always aware how exactly we are exposed through surveillance companies like Verkada, we know that there is someone on the other side watching, but what about those that think these feeds are private to the outside world?

 

Another disturbing fact of this breach is that the hacking group was able to execute additional code on the cameras themselves, opening the opportunity for them to gain further access into Verkada’s client network. They did not have to do any sophisticated hacking for this to happen as it was a feature in the cameras themselves. The entire breach was very unsophisticated in that all the hacker’s needed was a privileged account that was already exposed on the internet.

 

From the cameras feeds that were access, hackers were able to see live video feeds from within Tesla’s manufacturing plant in China, access prison and police surveillance systems as well as schools and hospitals. This is a large breach and the kind of data that Verkada was entrusted to may have just as well been left on the internet for everyone to see.

  Read Less
March 11, 2021
Jamie Akhtar
CEO and Co-founder
CyberSmart

This attack demonstrates how our digital systems are increasingly collecting a vast amount of highly sensitive data, both corporate and personal alike. It is a reminder of the responsibilities that organisations have to safeguard the data that they collect and process. High level cybersecurity must be made a priority to fulfil this responsibility. By adopting basic cyber hygiene measures and undergoing regular security awareness training, organisations will already in a better position to

.....Read More

This attack demonstrates how our digital systems are increasingly collecting a vast amount of highly sensitive data, both corporate and personal alike. It is a reminder of the responsibilities that organisations have to safeguard the data that they collect and process. High level cybersecurity must be made a priority to fulfil this responsibility. By adopting basic cyber hygiene measures and undergoing regular security awareness training, organisations will already in a better position to defend against such threats.

  Read Less
March 11, 2021
Ilia Kolochenko
Founder and CEO
ImmuniWeb

This incident will likely trigger an avalanche of legal and judicial costs for the affected companies as the leak of such data is a reportable security incident under many state and federal laws. Moreover, individual notifications to the exposed victims filmed by the compromised cameras, or even notifications by a press release, may be required as a matter of law depending on the specific usage and location of the branched cameras.

 

The US has already enacted a federal law to prevent insecure

.....Read More

This incident will likely trigger an avalanche of legal and judicial costs for the affected companies as the leak of such data is a reportable security incident under many state and federal laws. Moreover, individual notifications to the exposed victims filmed by the compromised cameras, or even notifications by a press release, may be required as a matter of law depending on the specific usage and location of the branched cameras.

 

The US has already enacted a federal law to prevent insecure IoT devices from being supplied to the Federal government via the “IoT Cybersecurity Improvement Act” in 2020. States like California and Oregon also pioneered state regulation of IoT security by enacting state laws. The California law is quite comprehensive from a technical viewpoint but is comparatively toothless: individuals cannot sue under the law and there are no fixed monetary penalties like under CCPA/CPRA that serve as a formidable deterrence for those who misuse personal data of the state citizens. In Europe, ENISA recently published a standard for IoT devices security, however, it has no legally binding power.

 

To avoid such domino-effect hacks of a disastrous nature, we urgently need a harmonious IoT data security legislation both in the US and EU. The current “patchwork” of disjoint laws is confusing, burdensome and inefficient.

  Read Less
March 11, 2021
Niamh Muldoon
Senior Director of Trust and Security, EMEA
OneLogin

Video footage has the ability to identify an individual and is classified as “sensitive” under privacy regulations such as GDPR and/or CCPA. Therefore, Verkada are likely to see a huge financial impact as a result of this data breach. Customers will want assurance that they are protected from a range of physical and cybersecurity threats, including identity theft. Privacy and industry regulators will be examining Verkada operations to assess whether appropriate controls were in place to protect

.....Read More

Video footage has the ability to identify an individual and is classified as “sensitive” under privacy regulations such as GDPR and/or CCPA. Therefore, Verkada are likely to see a huge financial impact as a result of this data breach. Customers will want assurance that they are protected from a range of physical and cybersecurity threats, including identity theft. Privacy and industry regulators will be examining Verkada operations to assess whether appropriate controls were in place to protect these highly sensitive and regulated data types. While the root cause analysis has not been shared, it's fair to say that access controls to physical security systems and components often gets forgotten about or tends to be exempt due to the complexities of outsourcing, being on a separate network and the technical integration limitation. Leaders in the IAM space have addressed these complexities and provide trusted platforms that can streamline access, enforce strong authentication mechanisms with the ability to monitor, report and alert - reducing risk of unauthorized access.

  Read Less
March 11, 2021
Dr. George Papamargaritis
MSS Director
Obrela Security Industries

This breach is incredibly concerning. The compromised data in question is amongst the most highly regulated information in the world, and the fact that these security cameras, that can be found in hospitals, schools and police departments gives cybercriminals the opportunity to operate mass surveillance across restricted areas. Cybercriminals are opportunists and a live stream of ultra-sensitive CCTV could allow criminals to steal valuable assets - either intellectual or financial - and creates

.....Read More

This breach is incredibly concerning. The compromised data in question is amongst the most highly regulated information in the world, and the fact that these security cameras, that can be found in hospitals, schools and police departments gives cybercriminals the opportunity to operate mass surveillance across restricted areas. Cybercriminals are opportunists and a live stream of ultra-sensitive CCTV could allow criminals to steal valuable assets - either intellectual or financial - and creates a serious concern for any vulnerable institution or individual.

  Read Less
March 11, 2021
Natalie Page
Cyber Threat Intelligence Analyst
Talion

The successful compromise of Internet of Things (IoT) devices such as surveillance cameras, is rapidly becoming a consistent occurrence. IoT devices are highly vulnerable to intrusions, due to their inability to perform regular software security updates as a computer does, something which adversaries understand all too well.

 

This attack against such a high-profile organisation, permitting attackers access to highly intrusive surveillance cameras is extremely disturbing. Our modern world

.....Read More

The successful compromise of Internet of Things (IoT) devices such as surveillance cameras, is rapidly becoming a consistent occurrence. IoT devices are highly vulnerable to intrusions, due to their inability to perform regular software security updates as a computer does, something which adversaries understand all too well.

 

This attack against such a high-profile organisation, permitting attackers access to highly intrusive surveillance cameras is extremely disturbing. Our modern world relies heavily on surveillance, built on billions of cameras which observe our every move. We have essentially created an infrastructure which all adversary classifications across the threat landscape can leverage to achieve their goals.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.