The video security and AI company Verkada was breached, giving hackers access to more than 150,000 Internet-connected security cameras used in schools, prison cells, hospital ICUs and major companies such as Tesla, Nissan, Equinox, Cloudflare and others.
The hacking was carried out by a loose anti-corporate hactivist group called APT-69420, based in Switzerland. According to the group’s representative, Till Kottmann, they accessed Verkada’s systems on March 8 and the hacking lasted 36 hours. She described Verkada, a startup based in Silicon Valley, as a “fully centralized platform” that made it easy for your computer to access and download images from thousands of security cameras. The leaked images appear to include important companies and institutions, but not private homes.
The video and images are intended to capture a number of activities that may be sensitive, such as security video from the Tesla vehicle manufacturing line and a screenshot from security company Cloudflare. Part of the material is very personal, including video of patients in intensive care units in hospitals and prisoners at the Madison County Jail in Huntsville, Alabama.
Kottman described the security of Verkada systems as “non-existent and irresponsible” and said his group led the company to demonstrate how easy it is to access cameras connected to the Internet located in very sensitive places.
Provided by Till Kottmann
Verkada said they notified their customers about the hacking and that their security teams are working with an external security company to investigate it. Verkada told CBS News: “We have disabled all internal administrator accounts to prevent unauthorized access. Our internal security team and our external security company are investigating the scale and scope of this. problem and we have notified law enforcement. “
Provided by Till Kottmann
The FBI made no comment. CBS News has contacted Tesla and Equinox, but no comments could be made at the time of publication of this story.
Kottmann provided CBS News with a 5 gigabyte file that contained video and footage of the hack, and described the attack as “non-technical” and not difficult to carry out.
Provided by Till Kottmann
Kottmann said his group discovered a Verkada administrator username and password stored in an unencrypted subdomain. The company, he said, exposed an internal development system on the Internet, which contained coded credentials for a system account that, it said, gave them full control over their system with “super-administrator” rights.
“We are looking for very wide vectors looking for vulnerabilities. This was easy. We simply used their web application the way any user would, unless we had the ability to switch to any user account we wanted. No server, we just logged in to your web UI with a highly privileged user [account]”Kottmann said.
Kottmann said his group of pirates is not motivated by money or sponsored by any country or organization. “APT-69420 is not supported by any nation or corporation, but is supported only by being gay, funny and anarchist,” he said.
When asked if he feared the repercussions, Kottman replied, “Maybe I should be a little more paranoid, but at the same time, what would change? I’ll be as objective as I am now.”