The latest breach involved 150,000 live cameras inside prisons, hospitals, schools and even police departments.
In another demonstration of the vulnerability of connected surveillance cameras, Silicon Valley security startup Verkada Inc was ironically involved in a security breach where hackers were able to access 150,000 live surveillance cameras inside hospitals, companies, police departments, prisons and schools.
The hackers also claimed that they have full access to the video archives of all of the firm’s customers. This is because attackers were able to access administrative credentials for a significant portion of the Verkada camera network.
While Verkada’s team were able to revoke the attackers’ access as one form of remediation, this in itself does not imply that remote monitoring was disabled: only that the previous credentials were invalidated. It also does not imply that the attackers were not able to change the software configurations within the camera or even potentially install other software.
What should have been
According to Synopsys Software Integrity Group’s Principal Security Strategist, Tim Mackey: “Whenever you deploy an internet connected device, there is always the potential for unauthorized access. If that internet connected device includes some form of monitoring by its supplier, then the risk of compromise increases—due partly to a lack of control over authorization.”
Mackey’s view is that operators of Verkada cameras should reflash each camera with a known good copy of the firmware, as well as look for any indications of compromise on monitoring systems. They then should ensure that the camera network is isolated from the internet, or if that is not possible, implement firewall protections to ensure that remote access only occurs from known locations over expected ports.
Another viewpoint, by Lotem Finkelstein, Head of Cyber Intelligence, Check Point Software Technologies, was that the Verkada hack is another example of a supply chain attack, where a single point of failure at the vendor’s network impacts its customers and offering an unlimited access to customers’ data.
“Supply chain attacks come in different forms, but always expose the weakest links. To gain a strong security posture, companies also need to make sure their vendors also secure their assets properly, so such cases won’t replicate themselves,” he said.
IoT: Insecurity of Things?
Common IoT devices can be breached: incidents worldwide have been cited in the news for years. Cameras, much like other hardware devices, are often manufactured with built-in or hard coded passwords that are rarely, if ever, changed by the customer. According to Asaf Hecht, Cyber Research Team Leader, CyberArk, while we cannot be sure yet that this is what happened in Verkada, recent breaches certainly have ‘scale’ in common, “demonstrating attackers’ growing confidence and precision (and ability) to efficiently extrapolate weaknesses for impact. And while Verkada reportedly took the right steps to disable all internal administrator accounts to prevent any unauthorized access, it was likely too late. The attackers had already landed.”Based on what has been reported, this attack follows a well-worn attack path, said Hecht: target privileged accounts with administrative access, escalate privileges to enable lateral movement, and obtain access to highly sensitive data and information. “What we’ll need to especially watch in this case is the potential for far-reaching implications for privacy regulations including HIPAA.”