The security breach of security camera startup Verkada, which gave hackers access to videos from nearly 150,000 cameras – including those in prisons, schools, hospitals and electric car giant Tesla -means organizations deploying cloud-based IoT devices should give their security plans another look.
The hackers were able to gain access to Verkada’s infrastructure through a ‘super admin’ account, which strongly indicates access was gained through a phishing attack made more convincing through social engineering.
Hank Schless, senior manager of security solutions at Lookout, said targeted phishing attacks – otherwise known as spear phishing attacks – are used by malicious actors who gather publicly available information in places such as social media profiles to build a convincing campaign targeting an individual.
Schless noted that spear phishing attacks are particularly effective on mobile devices where an attacker can phish the individual over voice (vishing), SMS (smishing) and other personal channels outside the controls of traditional perimeter-based security tools.
“In both of these situations, an attacker can socially engineer their way into convincing the target to share login credentials with them,” Schless explained.
Schless noted attackers have also been known to target lower-level employees and phish their credentials, only to move laterally through the infrastructure once they have access.
“If the organization doesn’t have certain protections in place in their infrastructure, the attacker could escalate their own privileges in order to gain admin access,” he warned.
The growing number of IoT devices connecting to private corporate networks also expands the attack surface and potentially exposes sensitive data such as medical records, personally identifiable information and workplace plans.
“One of the main problems with IoT security at present is that the rush to market often deprioritizes security measures that need to be built into our devices,” said Stefano De Blasi, threat researcher at Digital Shadows. “This issue has made many IoT devices low-hanging fruit for criminals interested in stealing sensitive data and accessing exposed networks.”
Additionally, criminals can exploit vulnerable products by leveraging their computing power and orchestrate massive IoT botnet campaigns to disrupt traffic on targeted services and to spread malware.
Part of any robust IoT security strategy means securing all elements of the digital chain of security. That includes data, infrastructure, device, endpoint, application and identity, as each one of those elements presents potential gateways to a breach.
Setu Kulkarni, vice president of strategy at WhiteHat Security, explained the Verkada breach is illustrative of how a number of simple gaps across multiple elements of the “digital chain of custody” can be combined to orchestrate a significant breach.
“In this case, the fact that the super admin account information was freely available, and the fact that missing security controls on the device are considered ‘by design’ point to how a combination of security gaps across the digital chain of custody resulted in such a significant breach,” he noted.
To reduce attacks like this in the future, it is critical to take privileged access seriously, and it should be made a top priority for organizations to have better controls and requirements.
This includes moving to the principle of least privilege (PoLP) where access is on-demand when authorization is approved, and forces code to run with the lowest privilege/permission level possible.
For others, the establishment of better standards and accountability for securing devices and their software continues to be a positive development.
“Fixing IoT security will require a concerted effort across the supply chain, not on fixing a singular technology or vulnerability,” said Jack Mannino, CEO at nVisum. “Many devices have remained plagued by vulnerabilities for years, and if we want to do a better job in the future, we have to start now.”
News of the breach comes in the wake of the IoT Cybersecurity Improvement Act, signed into law in December 2020. The legislation, which is designed to better incentivize companies to secure the devices they build and sell, requires the National Institute of Standards and Technology (NIST) to create a new set of standards for IoT device security.
Verkada co-founder and CEO Filip Kaliszan explained in a company blog post on March 15 that, over the next 100 days, the company is planning a review of its internal access management policies and introducing data governance tools for customers to offer better visibility into how data, account information and audit logs are protected, accessed and stored.
Verkada has also hired cybersecurity firm Mandiant and law firm Perkins Coie to conduct a “comprehensive review” of the security of the company’s systems.