Verkada, a video surveillance and AI security-based company, was reportedly breached on March 7 by a Swiss hacker named Tillie Kottmann (also known as ‘Till’). Kottmann is a representative of the threat group known as “APT 69420 Arson Cats,” and had also targeted multi-national automobile companies like Nissan and Mercedes, to expose their system vulnerabilities. The Verkada security breach has led to the leak of the video feed from nearly 150,000 cams worldwide. Its victims’ list includes Tesla, Cloudflare, Equinox, prisons, hospitals, schools, and many more.
- Tillie Kottmann, part of a hacktivist group dubbed “APT 69420 Arson Cats,” published the screenshots and footage of the leak on her Twitter feed. Twitter has since suspended her account.
- The attack was targeted at a Jenkins server used by Verkada’s support team to perform bulk maintenance operations on customer cameras.
- The attackers gained illicit access into this server on March 7, 2021 and retained it until the noon (PST) of March 9, 2021.
- Verkada has confirmed that the security breach compromised its video and image data from a limited number of cameras (although Kottmann claims that feeds from 150,000 cameras were accessed), a list of client account administrators including names and email addresses, and Verkada’s sales orders.
The Verkada Security Breach: As it Happened
Bloomberg first broke the news post Kottmann’s tweets showing evidence of the leaked footage. It contacted Kottmann to know the complete details of the compromised data. Responding to the question of the motive behind the hack, Kottman said,
Lots of curiosity, fighting for the freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.
On the other hand, when Verkada was informed about the security breach, it took immediate action and set up a team of experts to curtail the issue. Their internal investigation found out that the attackers gained access to their data through a Jenkins server, which is used by Verkada’s support team for maintenance work like adjusting camera image settings upon customer request. Once the threat actors got access to the server, it was easy to obtain client account administrator credentials that helped them bypass Verkada’s authorization and two-factor authentication security measures.
Further internal investigation, which is being carried out with the expert help from two external firms – Mandiant Solutions and Perkins Coie – has also noted that, until now, no evidence of Verkada’s user passwords or password hashes, internal network, financial systems, or any other business systems being compromised have been found.
However, Filip Kaliszan, CEO, Verkada Inc., did acknowledge the breach, stating,
Attackers gained access to a tool that allowed the execution of shell commands on a subset of customer cameras; however, we have no evidence at this time that this access was used maliciously against our customers’ networks. All shell commands issued through our internal tool were logged.
Kottman’s Side of the Story
Kottmann’s side of the story, however, contradicts what Kaiszan’s update says. Talking to CBS News, Kottmann revealed that her group first found a Verkada internal administrator username and password stored on an unencrypted subdomain. According to her, the company had kept an internal development server exposed to the open internet that contained “hard-coded credentials” for a system account with “super admin” rights. Kottmann added,
We did not access any server. We simply logged into their web UI with a highly privileged user (account).
Kottmann shared around 5GB of archives with CBS and Bloomberg that included videos and images from the hack. As per her claims, the threat group was able to download the feed from nearly 150,000 security cams placed in locations like hospitals, prisons, schools, public areas, and even in the vicinity of some known companies like Tesla, Nissan, Equinox, and Cloudflare, among others.
Asaf Hecht, Cyber Research Team Leader at CyberArk says, “The potential for breaching common IoT devices, like security cameras, is something we’ve been talking about for years. Cameras, much like other hardware devices, are often manufactured with built-in or hard-coded passwords that are rarely, if ever, changed by the customer.
While Verkada reportedly took the right steps to disable all internal administrator accounts to prevent any unauthorized access, it was likely too late. The attackers had already landed. Based on what’s been reported, this attack follows a well-worn attack path – target privileged accounts with administrative access, escalate privileges to enable lateral movement, and obtain access to highly sensitive data and information – effectively completing the intended goal. What we’ll need to especially watch in this case is the potential for far-reaching implications for privacy regulations including HIPAA.”
Talking about the gravity of the attack and the seriousness of cybersecurity in physical security professionals, Christian Morin, CSO & Vice-President of Integrations & Cloud Services, Genetec, said, “As an industry, and as manufacturers in physical security, we cannot take these hacks lightly. The potential broad reaching impact of these hacks on physical security systems, including providing a beachhead to facilitate lateral movement onto networks, resulting in data and privacy breaches or access to critical assets and infrastructure, cannot be understated.
In one of our recent surveys, the State of Physical Security, we uncovered that only about 30% of security professional respondents were prioritizing cybersecurity initiatives in 2021. I can only hope this most recent incident acts as the wakeup call required to ensure every organization in the chain understands and acts upon the critical importance of privacy and security in the design, development, implementation, and operations of physical security systems.”