Hackers aimed to draw attention to the dangers of mass surveillance said they were able to fixate on hospitals, schools, factories, prisons and corporate offices after breaking into systems. a security camera.
That California start-up, Verkada, said Wednesday that it is investigating the extent of the breach, first reported by Bloomberg, and that it has notified law enforcement and its customers.
Swiss hacker Tillie Kottmann, a member of the group called APT-69420 Arson Cats, described him in an online chat with The Associated Press as a small group of “mostly queer hackers, not supported by any nation. or capital, but supported by the desire for fun, to be gay and a better world. ”
They were able to access a “super” Verkada administrator account using valid credentials found online, Kottmann said. Verkada said in a statement that it has since disabled all internal administrator accounts to prevent any unauthorized access.
But for two days, hackers said, they were able to seamlessly watch the live channels of tens of thousands of cameras, including many watching sensitive places such as hospitals and schools. Kottmann said it included indoor and outdoor cameras at Sandy Hook Elementary School in Newtown, Connecticut, where 26 first-graders and six educators were killed in 2012 by a gunman in one of the deadliest school shootings in U.S. history. USA.
The school district superintendent did not return calls or request comments by email Wednesday.
One of the customers affected by Verkada, San Francisco’s cloud and web infrastructure company Cloudflare, said Verkada’s compromised cameras were watching the entrances and main thoroughfares of some of its offices that have been closed for nearly a year in cause of the pandemic.
“As soon as we realized the commitment, we turned off the cameras and disconnected them from the office networks,” spokeswoman Laurel Toney said. “This incident has not affected any customer data or process.”
Another San Francisco tech company, Okta, said five cameras it placed at office entrances were compromised, though there is no evidence anyone has seen the live broadcasts.
Twitter said it permanently suspended Kottmann’s account, which posted materials gathered in the hack, for violating its rules against circumvention of the ban, which usually happens when users start a new account to circumvent a previous suspension. Kottmann had previously received a Twitter message suspending the account for violating its rules against the distribution of pirated material, the hacker said.
Images of Verkada captured and shared by hackers included a Tesla facility in China and the Madison County Jail in Huntsville, Alabama. Madison County Sheriff Kevin Turner said in a statement Wednesday that the prison has removed the cameras offline, adding that “we are confident that this unauthorized release will not affect or affect the safety of staff or inmates. “. Tesla did not respond to requests for comment.
Verkada, based in San Mateo, California, has introduced its cloud-based surveillance service as part of the next generation of workplace security. Its software detects when people are in sight of the camera and the “People History” feature allows customers to recognize and track individual faces and other attributes, such as clothing color and likely gender. Not all customers use the facial recognition feature.
The company drew negative attention last year when the IPVM video surveillance industry news site reported that Verkada employees had passed pictures of co-workers collected by the company’s internal cameras and made sexually explicit comments about them.
Cybersecurity expert Elisa Costante said it is worrying that this week’s hacking is not sophisticated and that it simply involves the use of valid credentials to access a huge amount of data stored on a cloud server.
“What’s disturbing is seeing how much real-life data can go into the wrong hands and how easy it can be,” said Costante, Forescout’s vice president of research. “It’s an alarm clock call to make sure that whenever you collect so much data we need to have basic security.”
Kottmann said the hacker collective, active since 2020, is not set after specific goals. Instead, it scans organizations on the Internet for known vulnerabilities and then works to “limit and delve into interesting goals.”