Verkada Surveillance Hack, Breach Highlights IoT Risks

Building security vendor Verkada Inc. reported a breach of customer surveillance data to the U.S. Federal Bureau of Investigation (FBI), the company said in a statement.

News of the Verkada breach broke Tuesday, along with the release of photos and videos from a number of the approximately 150,000 connected cameras. The affected businesses included such brand names as Tesla, Nissan and others, as well as security firm Cloudflare. Jails, schools and hospitals were also affected.

On Tuesday, March 9, Verkada notified customers of the breach. On Wednesday, the company updated customers on the status of the compromise.

“We have identified the attack vector used in this incident, and we are confident that all customer systems were secured as of approximately noon PST on March 9, 2021. If you are a Verkada customer, no action is required on your part,” the company said.

According to Verkada’s analysis, the attack targeted a Jenkins server used by their support team to perform bulk maintenance operations on customer cameras. These operations included adjusting camera image settings at customers’ request. “We believe the attackers gained access to this server on March 7, 2021 and maintained access until approximately noon PST on March 9, 2021. In gaining access to the server, the attackers obtained credentials that allowed them to bypass our authorization system, including two-factor authentication,” the company said.

While the investigation continues, Verkada is still contacting affected customers and has determined that the attackers obtained camera video and image data from a certain number of cameras belonging to a certain set of customers. The attackers also obtained a list of Verkada’s client account administrators, including names and email addresses but not passwords.

The attackers also obtained a list of Verkada sales orders, which includes data that is used by their software system to maintain license information. Verkada said there has yet to be any evidence of user credentials being stolen, or the company’s internal network, financial systems or other business systems being accessed.

“We can also confirm that the attackers gained access to a tool that allowed the execution of shell commands on a subset of customer cameras; however, we have no evidence at this time that this access was used maliciously against our customers’ networks. All shell commands issued through our internal tool were logged,” the company said.

The company hired Mandiant Solutions and Perkins Coie to conduct a review of the root cause of the breach. The FBI is also assisting in this investigation, the company said.

Expect enterprise IoT risks to rise. Unfortunately, when many think of IoT risks, they think of home devices: intelligent speakers, networked lights and home security systems. But these devices are entering enterprise networks in large numbers, and they are used in everything from health care to improving business supply chains.

These are networked and increasingly intelligent devices, often with their own operating systems and complex APIs. On Dec. 4, 2020, the Internet of Things Cybersecurity Improvement Act, was passed and became law. The law aims to use the purchasing power of the U.S. federal government to pressure IoT device makers to develop and deliver devices that are both natively more secure and able to be more securely managed by end users.