150,000 Verkada Cams Hacked, but it Gets Worse

After Tuesday’s horrifying news of the data breach at Verkada, now we learn that countless employees and interns routinely had full access to customers’ video feeds. So-called “super admin” access was often abused, with no effective auditing, sources say.

And management doesn’t care, we’re told. All this at a company that loves to brag about how much more secure it is than its competition.

It’s the same old story, with the same old lessons that never get learned. In today’s SB Blogwatch, we wax pedagogical.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Dodie’s silver lining.

“Leadership at Verkada give zero ****s”

What’s the craic? Charles Rollet reports—“Verkada Gave Various Employees Access To Any Camera”:

 Various employees across Verkada used ‘Super Admin’ privileges to view any customer’s camera footage at any time, unbeknownst to said customers. … This news comes after Verkada was hacked, exposing camera feeds for all of its ~150,000 cameras including those at Tesla, Cloudflare, and many other companies.

One of the hackers, Tillie Kottmann [said] Super Admin actions had poor oversight, stating they used the function for “two days” while using obviously fake terms. [They implied] Verkada was not properly monitoring or being alerted to misuses of these super admin actions.

A source with direct knowledge of the matter [said] Verkada’s Product and Engineering teams, along with company executives, had Super Admin privileges, allowing unrestricted access to any customer video surveillance footage … but did not disclose this to customers. … The source criticized Verkada’s leadership, specifically co-founder Hans Roberston: … “Leadership at Verkada give zero ****s about security.”

Verkada … responded with the same general statement they have provided to various publications. … Verkada will still need to answer why such broad internal admin access was provided and why no alerts were generated.

Extraordinary claims require extraordinary evidence. William Turton and Ryan Gallagher add some—“Verkada Workers Had Extensive Access to Private Customer Cameras”:

 More than 100 employees at security camera startup Verkada Inc. could peer through the cameras of its thousands of customers, including global corporations, schools and police departments, according to three former employees. … Verkada was breached on Monday, when hackers gained access to what’s known as a “Super Admin” account that allowed them to see all … 150,000 … live feeds and archived videos of Verkada’s customers.

Tillie Kottmann, one of the hackers who claimed credit for the incident, said they wanted to show the pervasiveness of video surveillance. … It is unclear whether most Verkada customers knew its employees could peer through the cameras they purchased from the company. … The use of Super Admin accounts within Verkada was so widespread that it extended even to sales staff and interns, two of the employees said.

The San Mateo, California-based company said the access was limited to those employees who needed to address specific … issues and that it had strict policies in place. … “Staff members were and are required to secure a customer’s explicit permission before accessing that customer’s video feed,” … a company spokesman said.

[But] one former employee said … engineers were routinely looking at people’s cameras every day. … When an employee accessed a customer’s camera, the Verkada system required them to submit a reason for doing so. … But that documentation was rarely checked. … “You could put whatever you wanted; … you could even just enter a single space.”

Good grief. Tim Cushing dishes more dirt—“Thousands Of Security Cameras, Archived Footage Exposed”:

 Put enough cameras up and pretty soon they become tasty targets for malicious hackers. … Its list of customers — also exposed in the breach — includes schools, banks, bars, breweries, churches, condo complexes, museums, airports, a Salvation Army Center, as well as … hospitals, and prisons.

Surveillance is a growth market. Amass enough market share and someone’s going to want to see what you’ve collected. Verkada’s use of admin accounts was already problematic given what we know about the mindset of some of its administrators. Giving admins access to all customer cameras and recordings may make it easier to address user problems, but without better security, it’s also irresponsible.

Preach, brother. Can I get an “amen” from MasterofDisaster?

 The irony of course is that Verkada bills itself as the solution to all the other camera vendors being insecure. Maybe they need to reassess having half the company in sales, instead of engineering.

Yet another wakeup call for operators of physical security systems … to get some religion around updating firmware, managing certificates, and more comprehensive password management (i.e. what IT security has been doing for years).

But what should the firm have done? sjames suggestifies thuswise:

 Encrypt the data in-house, then send it to off-site storage. That way if the 3rd party proves to be less than secure at least the data is still encrypted. Further, rotate the encryption keys so in the unlikely event that one key is cracked the disclosure is limited.

I can just hear the lawyers opening the yacht catalogs. Andy Newbom is a believer—almost:

 I can almost believe that this will go down as one of the greatest flameouts in Security in a while. I can almost believe that their hubris and disdain would come to cost them.

Almost. More likely they will simply buy off all the lawsuits with someone else’s money and just raise prices for ‘security’ on their security.

Isn’t it time someone blames the victims? aww**** is happy to oblige:

 No amount of convenience is worth the risk of putting your security system in the cloud. Users got what they asked for here, ease of use and nothing else.

And then, the other shoe drops: Tillie Kottmann’s apartment gets raided by Swiss police. Security Shark—@netsecshark—notes that the warrant was for a different alleged hacking:

 I’m sure making a bunch of companies look really bad had nothing to do with the timing here. ****ing bull****.

Meanwhile, what should the offending company do now to improve their security posture? Here’s a pun-tastic cyberdemon, who is here all week (try the veal):

 They should verkada.

And Finally:

Oh noes! Dodie’s new album has been delayed. On the bright side, there’s this

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Lianhao Qu
(via Unsplash)

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 421 posts and counting.See all posts by richi