Hackers were able to intrude on Verkada’s camera feeds on March 8th and 9th. The breach exposed over 150,000 surveillance cameras in sensitive institutions like police departments, schools, hospitals, companies, and prisons. Multinationals like carmakers Tesla and Nissan and the software company Cloudflare fell victims to the data security breach.
A report released by Tillie Kottman, a 21-year-old hacker revealed that the hackers had indicated that the breach was meant to show how vulnerable Verkada’s cameras are. The hacker group also claimed that they had full access to the entire video archives of Verkada’s customers. Worrisomely, some of the cameras have inbuilt facial recognition software that makes it easy to identify and recognize the individuals captured on the videos.
How the Verkada Attack Happened
Tillie Kottmann, a member of “APT-69420 Arson Cats” claimed credit of the Verkada breach. Kottman explained that their hackers’ pursuit fueled the move to conduct this attack with “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism—and it’s also just too much fun not to do it.”
It’s in the public domain that Kattie was credited for penetrating Intel’s data systems in august 2020 and Nisan Motors Inc. in January 2021. Kattie took to social media with the #OperationPanopticon hashtag. However, it’s not clear whether the hashtag only refers to Verkada’s attack or a code for a collection of breaches against other companies that could expose millions of surveillance cameras to risk.
Twitter considered suspending Kattie Kottman’s account as the best measure after he’d leaked Tesla’s security footages.
Kattie claimed that the hacker group was able to acquire Verkada’s administrator account’s credentials that were available online with “super admin” rights. This made it easy to breach the software startup’s databases and all cameras belonging to Verkada’s customers.
How Verkada Responded
Verkada’s report about the incident agreed that the hackers had “gained access to a tool that allowed the execution of shell commands on a subset of customer cameras”. The management revealed that Kattie’s team had gained access to the company’s databases through its support team’s Jenkins server used for maintenance operations on the client’s cameras. It’s now clear that the hackers also gained access to a wide range of information like sales orders and lists of consumer accounts’ administrators.
However, the management revealed that the company’s databases and systems had been secured in a move to reassure its customers.
The Verkada hack incidence raises many questions concerning how secure your information is any time you entrust it to other parties. The issue also raises eyebrows on whether companies should operate multiple super admin accounts considering how delicate such databases can be. The bitter dose, in this case, would be to judge Verkada as the erring party.
Conclusively, databases are most likely to face hacking vulnerabilities with the increase in the number of super admin accounts. In simple terms, the more the admins, the greater the likelihood that a company will be vulnerable to hacking operations.