Hackers who wanted to draw attention to the dangers of mass surveillance said they could peek into hospitals, schools, factories, prisons, and corporate offices after breaking into security camera start-up systems.
That California startup, Verkada, said on Wednesday that it is investigating the scope of the breach, first reported by Bloomberg, and has notified police and its customers.
Swiss hacker Tillie Kottmann, a member of the group calling himself APT-69420 Arson Cats, described it in an online chat with The Associated Press as a small collective of “ mostly queer hackers, not backed by a country or capital, but supported through the desire for fun, being gay and a better world. ”
They were able to access a Verkada “super” administrator account with valid credentials found online, Kottmann said. Verkada said in a statement that it has since disabled all internal administrator accounts to prevent unauthorized access.
But for two days, the hackers said, they were able to peer unimpeded into live feeds from potentially tens of thousands of cameras, including many looking at sensitive locations such as hospitals and schools. Kottmann said there were outdoor and indoor cameras at Sandy Hook Elementary School in Newtown, Connecticut, where 26 freshmen and six educators were killed by a gunman in 2012 in one of the deadliest school shootings in US history.
The school district superintendent did not call back on Wednesday or send requests for comment by email.
One of Verkada’s affected customers, San Francisco-based web infrastructure and security company Cloudflare, said the compromised Verkada cameras were monitoring entrances and main corridors of some of its offices that have been closed for nearly a year due to the pandemic.
“As soon as we became aware of the compromise, we turned off the cameras and disconnected them from the office networks,” said spokesman Laurel Toney. “No customer data or processes were affected by this incident.”
Another San Francisco tech company, Okta, said five cameras it placed near office entrances had been compromised, although there is no evidence that anyone watched the live streams.
Twitter said it has permanently suspended Kottmann’s account, which posted material collected during the hack, for violating prohibitive evasion rules, which usually happens when users start a new account to bypass a previous suspension . Kottmann had previously received a message from Twitter suspending the account for violating the rules against the distribution of hacked material, the hacker said.
The Verkada footage captured and shared by hackers included a Tesla facility in China and the Madison County Jail in Huntsville, Alabama. Madison County Sheriff Kevin Turner said in a statement on Wednesday that the prison has taken the cameras offline, adding “we are confident that this unauthorized release does not and will not affect the safety of any personnel or inmates.” Tesla did not respond to requests for comment.
Based in San Mateo, California, Verkada has unveiled its cloud-based surveillance service as part of the next generation of workplace security. The software detects when people are in view of the camera, and a “Person History” feature allows customers to recognize and track individual faces and other attributes, such as clothing color and likely gender. Not all customers use the facial recognition feature.
The company received negative attention last year when the video surveillance industry news site IPVM reported that Verkada employees had toured photos of female colleagues collected by the company’s own cameras and made sexually explicit comments about them.
Cybersecurity expert Elisa Costante said it is worrying that this week’s hack was not sophisticated and simply involved using valid credentials to access a massive amount of data stored on a cloud server.
“What’s disturbing is how much real-world data can go into the wrong hands and how easy it can be,” said Costante, vice president of research at Forescout. “It’s a wake-up call to make sure that when you’re collecting so much data, we need basic safety hygiene.”
Kottmann said the hacker collective, active since 2020, is not looking for specific targets. Instead, it scans organizations on the Internet for known vulnerabilities and then tries to “just narrow down and dig in for interesting targets.”