Physical security concepts and practices has been around for centuries. Cyber security, not so long. We all are painfully more aware than ever of the need for strong cybersecurity. Network security should be in most business systems, yet the Internet of Things (IoT) has opened the realm of malicious cyber-attacks to a height unseen in recent times. IoT in any open space creates the potential for various cyber-attacks that can disrupt system operation and negatively impact a customer’s business. Because most physical security systems today are IP-based, the two formerly separate security disciplines are more entwined than ever.
While cybersecurity employs firewalls and encrypted passwords to harden network data, that data is vulnerable the moment an intruder gets inside a facility with a flash drive. There are pen testers that have proven this, and even guards can be manipulated and fooled. The challenge to safeguard data from hacking from the inside requires a strategic physical security plan to secure entrances at a facility’s perimeter and interior doors. A secured entrance eliminates the risk of a data breach from unauthorized intrusion or tailgating, enhances identity authentication and provides access audit trails. Security entrances are not all the same, and the key is knowing the role they can play in intrusion prevention.
Founded in 2016, Verkada is a security company that focuses on surveillance and facial recognition using sophisticated software in security cameras. Its products are used by thousands of organizations around the globe, including hospitals, police departments, prisons, schools, and well-known companies such as Tesla and Cloudflare. Recently, a hacking group says they have accessed thousands of live feeds from Verkada's cameras around the world, this breach is estimated to affect more than 24,000 unique organizations.
Verkada's security cameras are not like your typical baby monitor or puppy cam, these cameras are an extremely powerful part of the Internet of Things (IoT). They can identify individuals by detecting their faces, and are capable of filtering individuals by their gender, the color of their clothes, and other characteristics. The camera's AI can also detect "unusual motion" and use all of the gathered information to search, over time, for footage that includes a specific individual.
Verkada's CEO posted a special security update to the company's website. It appears to be the breach notification sent to customers, and it explains what happened: "First, we have identified the attack vector used in this incident, and we are confident that all systems were secured as of approximately noon PST on 9 March 2021 and remain secure today. If you are a Verkada customer, no action is required on your part (at this time).
The attack targeted a Jenkins server used by our support team to perform bulk maintenance operations on customer cameras, such as adjusting camera image settings upon customer request. The attackers gained access to this server on 7 March 2021 and maintained access until approximately noon PST on 9 March 2021. In gaining access to the server, the attackers obtained credentials that allowed them to bypass our authorization system, including two-factor authentication.
The attackers gained access to a tool that allowed the execution of shell commands on a subset of customer cameras; however we have no evidence at this time that this access was used maliciously against our customers' networks. All shell commands issued through our internal tool were logged.
In his letter to customers, Verkada explained what the company knows so far about hacker access to its systems, video feeds, and data. This includes: "Video and image data from a limited number of cameras from a subset of client organizations. A list of our client account administrators, including names and email addresses. This list did not include passwords or password hashes. A list of Verkada sales orders. Sales order information is used by our Command system to maintain the license state of our customers. This information was obtained from our Command system and not from other Verkada business systems.”
The company says since the incident, it brought in the FBI and hired Mandiant and Perkins Coie to conduct an internal review of the incident and ensure its internal security.
One hacker from the group responsible for this attack spoke with a media source. The hacker said the intent was, "to show the pervasiveness of video surveillance and the ease with which systems could be broken into." And when asked about their reasoning for hacking in general, they had quite an interesting reply, "Lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism, snd it's also just too much fun not to do it." The hacking group claims they found a username and password for an administrative account publicly exposed on the internet. That seems like a plausible explanation given the CEO's statement above.
Researchers say the group then gained "root" access to the cameras, meaning they could use the cameras to execute their own code. In some cases, they were able to obtain access to the broader corporate network of Verkada's customers, and even hijack the cameras and use them as a platform to launch future hacks.
This story serves as a stark reminder that the more connected our world becomes, the larger the attack surface that can be reached with a keyboard and some mouse clicks. Red Sky Alliance has initiated meetings with physical security firms to review the deficiencies in video cameras, their network connections and monitoring consoles. Anything connected to a network or the Internet is susceptible to breaching, high-jacking and theft of content. We have concrete examples of these attacks.
Red Sky Alliance has been has analyzing and documenting these type of cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are often dusted off and reused in current malicious campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
source: https://www.secureworldexpo.com/industry-news/hacked-verkada-security-camera-company
Comments