150,000 surveillance cameras , including some shots inside a factory and showroom Tesla , a prison in Alabama and even hospital rooms and police stations were violated.
It is in fact considered a hacker attack, but far from conventional. Tillie Kottmann , a Swiss developer who had already made himself known in the past for having discovered and reported computer security holes, shared with the editors of Reuters some recordings captured inside companies, hospitals, prisons, schools and police districts through their video surveillance system.
The recordings provided by Kottmann were “stolen” by a group of hackers following the attack on the Californian video surveillance company Verkada . The group gained full access to archives and real-time feeds of over 150,000 cameras . But the point is: how did they do it? In the most banal way possible: using username and password of a “Master” account , that is one able to access the company's complete IT system.
And no, the account wasn't stolen in some sophisticated way . The hackers simply found the login credentials online. Obviously, no further details have been reported about it, but the distraction of someone was enough to compromise a company that actually has access to particularly sensitive data. According to what was reported, by accessing the surveillance systems, the hackers could also have access to other subsystems of the various buildings.
Verkada had already been at the center of a controversy last year. Some employees had used the company's cameras and facial recognition technology to take and share photographs of their coworkers. Three employees had been fired due to this scandal, and we don't know what the company's reaction will be in this case. For the time being, all manager accounts have been disabled and both customers and law enforcement have been notified. Just think that Verkada has something like 5,200 customers , including entire cities, colleges and hotels. The reflection that you find below seems to us quite fitting. Attacks of this kind can only fuel the fear of future privacy violations that are risked in an increasingly interconnected world.
While the group's true motivation remains hidden, it appears to be cyber activism – a breach that aims to expose the poor security status of CCTV cameras. However, keep in mind that these compromised devices could also be used to install malware and initiate DDoS attacks, as well as to infiltrate connected networks for profit, comments, a leader in Cyber Protection.
It is very likely that this attack will further spread the fear of a monitoring state where the individual's privacy is lost; undoubtedly, it will be the biggest privacy concern of the new decade.
Candid Wüest, Vice President Cyber Protection Research of Acronis
