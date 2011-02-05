Comment - Hackers access live feeds of 150,000 security cameras

March 2021 by Kyle Walker, Cybersecurity Regional Manager at A&O IT Group

A group of activist hackers (Hacktivists) known as APT 69420 was able to gain super admin privileges on Verkada Inc systems exposing more than 150 000 camera feeds of its clients. Verkada is a Silicon Valley security startup that provides surveillance systems to its clients. The clients that were exposed included Cloudflare, Tesla, County prisons, hospitals, schools, and others.

The administrator account was found publicly available on the internet and allowed hackers to gain access to live feeds, video archives and other confidential information like Verkada’s balance sheet. The comment below from Kyle Walker, Cybersecurity Regional Manager at A&O IT Group.

“The fact that it was this easy for a hacking group to get into Verkadas systems is frightening and the hacker group’s intention was to expose these sorts of vulnerabilities in the first place.

I do not think that people are always aware how exactly we are exposed through surveillance companies like Verkada, we know that there is someone on the other side watching, but what about those that think these feeds are private to the outside world?

Another disturbing fact of this breach is that the hacking group was able to execute additional code on the cameras themselves, opening the opportunity for them to gain further access into Verkada’s client network. They did not have to do any sophisticated hacking for this to happen as it was a feature in the cameras themselves. The entire breach was very unsophisticated in that all the hacker’s needed was a privileged account that was already exposed on the internet. From the cameras feeds that were access, hackers were able to see live video feeds from within Tesla’s manufacturing plant in China, access prison and police surveillance systems as well as schools and hospitals. This is a large breach and the kind of data that Verkada was entrusted to may have just as well been left on the internet for everyone to see.”