The group of hackers viewed live and archived surveillance footage from hundreds of businesses including Tesla, Equinox, healthcare clinics, jails, and banks by gaining administrative access to camera maker Verkada over the past two days.
Other than the images captured from the cameras, the hacker also shared screenshots of their ability to gain root shell access to the surveillance systems used by Cloudflare and at Telsa HQ.
According to Tillie Kottmann, a reverse engineer for the group of hackers, they gained access to these surveillance systems using a super admin account for Verkada, a surveillance company that works with all of these organizations.
Massive Security Camera Breach
In this security-camera breach, hackers were able to view video from inside women’s health clinics, psychiatric hospitals, and the offices of Verkada itself. Some of the cameras, including in hospitals, use facial-recognition technology to identify and categorize people captured on the footage. It is said they also have access to the full video archive of all Verkada customers.
A video, shot inside a Tesla warehouse in Shanghai, shows workers on an assembly line. The hackers said they obtained access to 222 cameras in Tesla factories and warehouses.
The security-system intruders also gained access to 330 cameras, some hidden in vents and thermostats, in the Madison County Jail in Huntsville, Alabama., Bloomberg said.
Another video shows officers in a police station in Stoughton, Massachusetts, questioning a man in handcuffs. The hackers say they also gained access to the security cameras of Sandy Hook Elementary School in Newtown, Connecticut, where a gunman killed more than 20 people in 2012.
“The data breach was carried out by an international hacker collective and intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into”, said Tillie Kottmann.
The Hackers’ Methods were Unsophisticated
They gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet.
Kottmann shared images of what appeared to be root access to a Linux operating system. From these images, you can see the MAC address of one of the network cards, which corresponds to equipment developed by surveillance company Verkada.
After Bloomberg News, who first reported on this attack, contacted Verkada, the hackers lost access to the hacked super admin account.
Kottmann said their reasons for hacking are “lots of curiosity, fighting for the freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”
“We have disabled all internal administrator accounts to prevent any unauthorized access,” a Verkada spokesperson said in a statement. “Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”
Verkada’s chief information security officer, an internal team, and an external security firm are investigating the incident. The company is working to notify customers and set up a support line to address questions, said the person, who requested anonymity to discuss an ongoing investigation.