The Verkada Hack Was Not A Hack

“With a single breach, those scenes — and glimpses from more than 149,000 security cameras — were suddenly revealed to hackers, who had used high-level log-in credentials to access and plunder Verkada’s vast camera network.” – Washington Post

.

Last week’s Verkada “hack” was not a hack. They left the key under the doormat for the painter to get in while they were away for the weekend. The international hacktivist organization, Advanced Persistent Threat 69420, gained access to the cameras because a super admin username and password had been exposed on the internet and allowed them to see footage from nearly 150,000 cameras. In addition to this, they discovered they could execute custom code and hijack the cameras for future use due to built-in features. It was a breach of data security that resulted from irresponsibility on behalf of the Verkada team and their more prominent clients.

Sloppiness with the Verkada team.

The alleged hackers used a basic super admin password to access the root systems. Once they were in, they had access to everything.

Verkada could have prevented the breach by using better passwords, MFA, and other fundamental techniques to avoid brute force attacks. But in reality, they left the door unlocked so that the bad guy could stroll right in, which is equivalent to another social dilemma plaguing the country, “I left the key FOB in my new Mercedes, and the car was stolen.” As the proverb says, ‘Locks keep honest people honest,’ and the same goes for digital security.

Laziness on the part of the Verkada clients. 

The clients who use Verkada are “sophisticated” tech companies, who right now need to disclose to the SEC that potentially ALL of their IP has been stolen(for companies that are publicly traded).

The Verkada system is designed to aggregate security data/video from multiple facilities so admins can monitor it from a centralized command center. The Verkada customers were exposed, beyond the data intended for the Verkada system, because they did not segregate their networks adequately. Essentially, the camera monitoring the factory is on the same network as the machine putting the cars together on the factory floor. The camera network should have had multiple barriers from the network that transmits intellectual property.

Like the Solarwinds gap in security, there will be no way to measure the extent of the exposure caused by this gap. While the hacktivist group, who exposed the hack, seem to have good intentions, there is no telling who and how long cybercriminals and malicious actors had access to Verkada’s network of cameras. 

For this incident to be considered a hack, it would have to come with the understanding that there was a loophole or vulnerability someone cleverly found their way through. In this case, there was no clever loophole; it was the blatant lack of responsibility that caused the breach. 

 Companies have to start asking an essential, multi-part question. How do we protect our data, our client’s data, and the data we put in the hands of third-parties that are providing a product or a service. By adhering to fundamental digital security best practices and reducing its IT footprint, Verkada could have wholly avoided this mishap.

Michael Abboud
michael@tetherview.com