Video and AI security company Verkada was breached, allowing hackers to access more than 150,000 internet-connected security cameras used in schools, prison cells, hospital ICUs and large corporations such as Tesla, Nissan, Equifax, Cloudflare, and others.
The hack was carried out by a loose anti-corporate hactivist group called APT-69420 based in Switzerland. According to the group’s representative, Till Kottmann, on March 8, they had access to Verkada’s systems and the hack lasted 36 hours. She described Verkada a Silicon Valley startup as a “fully centralized platform” that made it easy for her team to access and download images from thousands of security cameras. The leaked images appear to contain large companies and institutions, but not private homes.
The video and images are intended to capture a range of activities that may be sensitive, such as security video of the Tesla car production line and a screenshot from inside the security company Cloudflare. Some of the material is highly personal, including video of patients in hospital intensive care units and inmates at the Madison County Jail in Huntsville, Alabama.
Kottman described the security of Verkada systems as “nonexistent and irresponsible,” and said her group focused on the company to demonstrate how easy it is to access internet-connected cameras placed in highly sensitive locations. .
Supplied by Till Kottmann
Verkada said they notified their customers about the hack and their security teams are working with a third-party security company to investigate. Verkada told CBS News, “We have disabled all internal administrator accounts to prevent unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this issue and we have notified the police.”
Supplied by Till Kottmann
The FBI did not comment. CBS News has reached out to Tesla and Equifax, but they were unavailable for comment at the time of this story being published.
Kottmann provided CBS News with a 5 gigabyte archive of video and images from the hack, describing the attack as “non-technical” and not difficult to implement.
Supplied by Till Kottmann
Kottmann said her group discovered a Verkada administrator username and password stored on an unencrypted subdomain. The company, she said, exposed an internal development system to the Internet that contained hard-coded credentials for a system account that she said gave them full control of their system with “super admin” privileges.
“We do scans for very broad vectors looking for vulnerabilities. This one was simple. We just used their web app like any user would, except we had the option to switch to any user account we wanted. to a server, we just logged into their web interface with a very privileged user [account], ‘Said Kottmann.
Kottmann said her group of hackers is not motivated by money or sponsored by any country or organization. “APT-69420 is not supported by nations or corporations, only supported by gay men, fun and anarchy,” she said.
When asked if she was afraid of repercussions, Kottman replied, “Maybe I should be a little paranoid, but what would it change at the same time? I’ll be just as focused as I am now.”