Verkada Security Camera Hack Allows Access, Leak of Hospital Live Feeds
First reported by Bloomberg, the hack of Verkada allowed hackers to gain access to the live feeds of 150,000 security cameras, including those belonging to several hospitals and Tesla.
A report from Bloomberg shows hackers were able to gain access to the live feeds from at least 150,000 security cameras, including those belonging to several hospitals, health clinics, Tesla, and Cloudflare
The attackers provided the news outlet with video footage from cameras managed by the startup Verkada to provide evidence of their claims. Verkada is a video management and AI security startup based in California.
The group, who calls themselves Advanced Persistent Threat 69420, claim to have accessed security cameras belonging to Halifax Health in Florida. The video shows live footage of clinicians and patients.
Additional footage allegedly belongs to Sandy Hook Elementary School in Connecticut, Texas-based Wadley Regional Medical Center, Tempe St. Luke’s Hospital in Arizona, the luxury gym chain Equinox, a police station in Wisconsin, and the Madison County Jail in Alabama.
The hackers also claim to have stolen footage from more than 200 cameras tied to Tesla warehouses.
The group says they stole the data to reveal just how easy the devices are to hack, as well as the pervasiveness of surveillance cameras across the country. To obtain the footage, the attackers gained access through an administrator account after obtaining a publicly exposed credential set for the account.
Credentials are easy to obtain through dark web postings or through phishing efforts. Recent reports estimate that about 50 percent of phishing emails are designed to steal credentials from victims.
The account access allowed the attackers to gain root access to the hacked cameras, which could have enabled future attacks, lateral movement, or the deployment of malicious software. Further, the access was gained without sophisticated hacking means.
The hackers were also able to download the entire list of Verkada clients. Verkada is currently looking into the incident, while some of the victim companies responded that it appears the hack is limited in its scope.
After Verkada was contacted, the hackers lost access to the feeds.
The hack provides a clear example of the risk of third-parties and connected devices, as well as the need for better understanding of how devices communicate with each other. As recently noted, attackers are leveraging all means to break into networks under the current threat landscape.
As demonstrated by recent exploits of vulnerabilities in SolarWinds, Microsoft Exchange, and Accellion, all vulnerabilities are being targeted -- and often without extensive effort.
"While the Verkada website bolsters that they have a “Secure by Default” methodology, it is clear that while we create devices with security-in-mind, what humans create typically has flaws,” Ordr CSO Jeff Horne, told HealthITSecurity.com in an email.
“Security is not one dimensional and while organizations might point to the faults in Verkada’s practices, the ownness is not solely on the supplier or manufacturer – although this point can be argued at length,” he added.
The onus is on organizations to review the rapid deployment and implementation of connected devices, which has only amplified amid the COVID-19 response, to gain clear depth on how devices communicate, Horne explained.
These measures must be coupled with the creation and maintenance of a continuous and accurate inventory, as well automated alerts based on any device or group of connected devices for when activities are discovered outside of a set baseline, he added.
Automation should also be applied to the proper segmentation of devices, which can prevent “lateral movement inside your network via the device(s),” said Horne.
Entities should also ensure administrative maintenance accounts are properly secured.
“Since the video system data can contain personally identifiable information, company confidential information, and personal health information , it is important that our security community band together to help Verkada, the impacted organizations, and the individuals whose privacy was exploited,” Horne concluded.