Hackers Breach Thousands of Security Cameras
by David M. Reutter
An international group of hackers gained access to the security cameras at 68 organizations that use Silicon Valley start-up Verkada, Inc. They got into cameras at schools, prisons, police departments, hospitals, and other companies.
The incident was reported in March 2021 after a hacker identified as Tillie Kottmann contacted Bloomberg News with details about the hack. Kottman said the breach was carried out by an international hacker collective. The intent behind the breach was to show the pervasiveness of video surveillance and the ease with which such systems can be compromised.
Kottman’s press release took credit for hacking Intel Corporation and Nissan Motor Company. The group’s reasons for hacking are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism—and it’s also just too much fun not to do it.”
The hack “exposes just how broadly we’re being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit,” Kottmann said. “It’s just wild how I can see the things we always knew were happening, but we never got to see them.”
According to Kottman, the group used unsophisticated methods to gain access to Verkada’s servers. They used a “Super Admin” account that allowed them to view all of Verkada customers’ cameras. A user name and password for an administrator account was publicly exposed on the internet, allowing the hackers access.
Verkada confirmed the hackers “compromised” its platform on March 8 and 9, 2021. It said 97 customers, or less than two percent of its approximate 6,000 customer base, had their cameras accessed and video or image data viewed. The hackers may have accessed 4,530 cameras.
None if the cameras were viewed for more than 90 minutes. They downloaded 4GB of data, but what data was transferred is unknown.
Kottman showed Bloomberg images from inside Alabama’s Madison County Jail. Some of those images were from its 330 cameras “hidden inside vents, thermostats, and defibrillators, [to] track inmates and correctional staff using the facial recognition technology.” The hackers also accessed live feeds and archived video, some with audio, of interviews with police officers and suspects.
One video stream was from Florida hospital Halifax Health, which is mainly a mental health facility. It showed eight hospital staffers tackling a man and pinning him to a bed. Halifax Health, ironically, is featured on Verkada’s website in a case study entitled: “How a Florida Healthcare Provider Easily Updated and Deployed a Scalable HIPPA Compliant Security System.”
The hackers also gained access to the 17 cameras at Arizona’s Graham County Detention Center. It had an archive file with video files that were given names by center staff. One from the “Commons Area” is titled “ROUNDHOUSE KICK OOPPSIE.” Two videos from “Back Cell” are titled “STARE OFF—DON’T BLINK” and “LANCASTER LOSES BLANKET.”
Kottman also said the group was able to obtain “root” access on the cameras, meaning they could use the cameras to execute their own code. This was a built-in feature that did not require further hacking. This could enable the hackers to hijack cameras or use them for a platform for future attacks. and allow broader access to Verkada’s corporate network of customers.
“The integrity of each device’s root filesystem and firmware was verified by checking hashes against an expected set. The integrity check was run before and after a fleet-wide reboot of devices,” Verkada said in a Security Incident Report published in response to the hacking. “No evidence of backdoors or lateral movement was detected in our logs.”
The hackers did gain access via a customer support server using “admin-level credentials for executing support scripts.” That server was “a misconfigured customer support server exposed to the internet” that allowed the hackers to find the customer support administration credentials.
Kottman said hackers were also able to download Verkada’s entire customer list and the company’s balance sheet. Verkada said the accessed customer files included names and email addresses but no passwords. It also said the hackers accessed a list of its sales orders.
Kottman said hackers watched a video that a Verkada employee set up in his home. He is seen completing a puzzle with his family.
“If you are a company who has purchased this network of cameras and you are putting them in sensitive places, you may not have the expectation that in addition to being watched by your security team that there is some admin at the camera company who is also watching,” said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation.
The US Department of Justice announced on March 18, 2021, that a grand jury in Seattle, Washington, indicted Kottman for conspiracy to commit computer fraud and abuse, conspiracy to commit wire fraud, and aggravated identity theft pertaining to activity that predated the Verkada hack. The indictment alleges Kottman is a Swiss computer hacker who has hacked dozens of companies and government agencies. It alleged Kottman leaked internal files and records of over 100 entities. Marcel Bosonnet, the Swiss attorney who previously represented Edward Snowden, has agreed to represent Kottman. Switzerland does not allow the extradition of Swiss citizens against their will. While Kottman’s home and that of her parents have been searched by Swiss police she appears to be at liberty in Switzerland as we go to press. See: USA v. Kottman, USDC, W. Dist. WA, Case No. CR-21-048 RAJ.
Sources: bloomberg.com, verkada.com
Related legal case
USA v. Kottman
|Cite||USDC, W. Dist. WA, Case No. CR-21-048 RAJ.|