The video and AI security company Verkada has been infringed, giving hackers access to more than 150,000 internet connection security cameras used in schools, jail cells, hospital facilities and large companies such as Tesla, Nissan, Equinox, Cloudflare and others.
The cap was carried out by a stand-alone anti-corporate hactivist group called APT-69420, based in Switzerland. According to Till Kottmann, the group’s representative, they had access to Verkada’s systems on March 8 and the hood lasted 36 hours. She described Verkada, a start in Silicon Valley, as a “fully centralized platform” that made it easy for her team to use and download videos from thousands of security cameras. It looks like the major materials and institutions have been leaked, but not private homes.
The video and photos aim to capture a variety of activities that can be sensitive, such as safety videos from the Tesla carmaker and a screenshot from security firm Cloudflare. Some of the material is very personal, including a video of patients in hospital-intensive care units and inmates at Madison County Jail in Huntsville, Alabama.
Kottman described the security on Verkada systems as ‘non-existent and irresponsible’, saying her group had targeted the company to demonstrate how easy it is to access internet cameras placed in very sensitive locations.
Provided by Till Kottmann
Verkada said they had notified their customers of the hack, and that their security teams were working with an external security firm to investigate it. Verkada told CBS News: “We have eliminated all internal administrator accounts to prevent unauthorized access. Our internal security team and external security firm are investigating the scope and extent of this issue, and we have notified law enforcement.”
Provided by Till Kottmann
The FBI did not comment. CBS News reached out to Tesla and Equinox, but they were not available for comment at the time this story was published.
Kottmann provided CBS News with a 5 gigabyte archive of videos and images of the hack, describing the attack as ‘non-technical’ and not difficult to execute.
Provided by Till Kottmann
Kottmann said her group discovered a Verkada administrator username and password stored on an unencrypted subdomain. The company said it had exposed an internal development system to the Internet, which contained hard-coded references to a system account, which it said gave it full control over their system with ‘super-admin rights’.
“We’re looking for very broad vectors looking for vulnerabilities. This one was easy. We used their web application just like any other user, except we had the ability to switch to any user account. We did not have access to any server We simply logged in to their web user interface with a very privileged user [account]” Kottmann said.
Kottmann said her group of hackers is not motivated by money or sponsored by any country or organization. “APT-69420 is not supported by any countries or corporations, and is supported by nothing but gay, fun and anarchy,” she said.
Asked if he feared consequences, Kottman replied, “Maybe I should be a little more paranoid, but at the same time, what would that change? I’m just going to be targeted like I am now.”