Hackers breach thousands of security cameras, exposing Tesla, jails, hospitals

Hackers breach thousands of security cameras, exposing Tesla, jails, hospitals

A group of hackers says they breached a huge trove of security camera data collected by Silicon Valley startup Verkada Inc., gaining access to live feeds from 150,000 surveillance cameras inside hospitals, businesses, police departments, prisons. and schools.

Companies whose images were exposed include automaker Tesla Inc. and software provider Cloudflare Inc. Additionally, hackers were able to view video from inside women’s health clinics, psychiatric hospitals and Verkada offices.

Some of the cameras, even in hospitals, use facial recognition technology to identify and categorize the people captured in the images. The hackers say they also have access to the full video archive of all Verkada clients.

In video seen by Bloomberg, a Verkada camera inside Florida’s Halifax Health hospital showed what appeared to be eight hospital employees accosting a man and pinning him to a bed. Halifax Health is featured on Verkada’s public website in a case study titled: “How a Florida Healthcare Provider Easily Updated and Deployed a Scalable HIPAA Compliant Security System.” A Halifax spokesman confirmed Wednesday that it uses Verkada cameras, but added that “we believe the scope of the situation is limited.”

Another video, shot inside a Tesla warehouse in Shanghai, shows workers on an assembly line. The hackers said they gained access to 222 cameras at Tesla factories and warehouses.

The data breach was carried out by an international collective of hackers and was intended to show the pervasiveness of video surveillance and the ease with which systems can be entered, said Tillie Kottmann, one of the hackers who took credit for the merit of breaking the law based in San Mateo, California. Verkada.

Kottmann, who uses their pronouns, previously took credit for hacking to chipmaker Intel Corp. and automaker Nissan Motor Co. Kottmann said their reasons for hacking are “a lot of curiosity, fighting for freedom of information and anti-intellectual property, a large dose of anti-capitalism, a pinch of anarchism, and it’s just too much fun not to. ”

“We have disabled all internal administrator accounts to prevent any unauthorized access,” a Verkada spokesperson said in a statement. “Our internal security team and the external security firm are investigating the scale and scope of this issue, and we have notified authorities.”

A person with knowledge of the matter said that Verkada’s chief information security officer, an internal team and an external security firm are investigating the incident. The company is working to notify customers and establish a helpline to answer questions, said the person, who requested anonymity to discuss an ongoing investigation.

“We were alerted this afternoon that the Verkada security camera system monitoring major entry points and major thoroughfares at a handful of Cloudflare offices may have been compromised,” San Francisco-based Cloudflare said in a statement. “The cameras were located in a handful of offices that have been officially closed for several months.” The company said it disabled the cameras and disconnected them from office networks.

Tesla said that, “to our current knowledge, the hacked cameras are only installed at one of our suppliers, and the product is not being used by our Shanghai factory, nor by any of our Tesla stores or service centers. Our data collected from factories in Shanghai and other places mentioned is stored on local servers. ”

Other companies identified in this story did not immediately respond to requests for comment. Representatives from the prisons, hospitals and schools named in this article declined to comment or did not immediately respond to requests for comment.

A video seen by Bloomberg shows officers at a police station in Stoughton, Wisconsin, questioning a man in handcuffs. Sergeant. Andrew Johnson, a Stoughton official, confirmed to Bloomberg News that the department uses Verkada cameras. Hackers say they also gained access to security cameras at Sandy Hook Elementary School in Newtown, Connecticut, where a gunman killed more than 20 people in 2012.

Also available to hackers were 330 security cameras inside the Madison County Jail in Huntsville, Alabama. Verkada offers a feature called “People Analysis,” which allows a customer to “search and filter based on many different attributes, including gender traits, the color of clothing, and even a person’s face,” according to a post. from Verkada’s blog.

Images seen by Bloomberg show that cameras inside the jail, some of which are hidden inside vents, thermostats and defibrillators, track inmates and prison staff using facial recognition technology. The hackers say they were able to access live streams and archived videos, in some cases including audio, of interviews between police officers and crime suspects, all in the high-definition resolution known as 4K.

Kottmann said his group was able to gain “root” access to the cameras, meaning they could use the cameras to run their own code. That access could, in some cases, allow them to spin around and gain access to the wider corporate network of Verkada customers, or hijack the cameras and use them as a platform to launch future attacks. Getting this degree of camera access didn’t require any additional hacking, as it was a built-in feature, Kottmann said.

The hackers’ methods were not sophisticated: they gained access to Verkada through a “super administrator” account, allowing them to look at the cameras of all their clients. Kottmann says they found a username and password for a publicly exposed administrator account on the Internet. After Bloomberg contacted Verkada, the hackers lost access to the video sources and files, Kottmann said.

The hackers say they were able to look at multiple locations on the luxury gym chain Equinox. At Wadley Regional Medical Center, a hospital in Texarkana, Texas, hackers say they looked through Verkada cameras aimed at nine ICU beds.

The hackers also say they saw cameras at Tempe St. Luke Hospital in Arizona and were also able to see a detailed record of who used Verkada’s access control cards to open certain doors, and when they did so. A representative for Wadley declined to comment.

The hack “exposes how extensively we are being policed ​​and how little care is at least put into securing the platforms used to do so, looking for nothing but profit,” Kottmann said. “It’s amazing how I can see the things that we always knew are happening, but never get to see.” Kottman said they gained access to the Verkada system Monday morning.

Verkada, founded in 2016, sells security cameras that customers can access and manage via the web. In January 2020, it raised $ 80 million in venture capital funding, valuing the company at $ 1.6 billion. Among the investors was Sequoia Capital, one of the oldest firms in Silicon Valley.

Kottmann calls the hacker collective “Advanced Persistent Threat 69420,” a lighthearted reference to the designations cybersecurity companies give to state-sponsored hacking groups and cyber criminal gangs.

In October 2020, Verkada fired three employees after reports emerged that workers had used their cameras to take pictures of their colleagues inside Verkada’s office and make sexually explicit jokes about them.

Verkada CEO Filip Kaliszan said in a statement to Vice at the time that the company “fired the three individuals who instigated this incident, engaged in egregious behavior directed at their co-workers, or refused to report the behavior despite their duties as managers. ”

Jails, Homes, Offices

Kottmann said they were able to download the full list of thousands of Verkada clients, as well as the company’s balance sheet, which lists assets and liabilities. As a closely held company, Verkada does not publish its financial statements. Kottman said the hackers observed through the camera of a Verkada employee that he had installed one of the cameras inside his home. One of the saved camera clips shows the employee completing a puzzle with his family.

“If you are a company that has purchased this network of cameras and is placing them in sensitive places, you may not have the expectation that, in addition to being watched by your security team, there will be an administrator in the camera company that be watching, too, ”said Eva Galperin, director of cybersecurity for the Electronic Frontier Foundation, who was briefed on the breach by Bloomberg.

Inside the Graham County Detention Center in Arizona, which has 17 cameras, center staff title the videos and save them to a Verkada account. One video, filmed in the “Common Area”, is titled “ROUNDHOUSE KICK OOPSIE”. A video archived within the “Back Cell Block” is called “VENDORS KISSING / FORGETTING WILLARD ???” Another video, filmed inside “Drunk Tank Exterior” is titled “AUTUMN BUMPS HIS OWN HEAD”. Two videos filmed of “Back Cell” are titled “LOOK OFF – DO NOT BLINK!” and “LANCASTER LOSES THE BLANKET.”

Hackers also gained access to Verkada cameras at Cloudflare’s offices in San Francisco, Austin, London, and New York. The cameras at Cloudflare headquarters rely on facial recognition, according to images seen by Bloomberg. “While facial recognition is a beta feature that Verkada makes available to its customers, we have never actively used it nor do we intend to do so,” Cloudflare said in its statement.

Security cameras and facial recognition technology are often used within corporate offices and factories to protect proprietary information and guard against an insider threat, said the EFF’s Galperin.

“There are many legitimate reasons to have surveillance within a company,” Galperin added. “The most important part is having the informed consent of your employees. Usually this is done within the employee manual, which no one reads ”.

.