Hackers Breach 150K Live Surveillance Cameras At Tesla, Cloudflare, Jails And It's Ugly
Over the last couple of weeks, hackers have been out in force, breaking into Microsoft Exchange and other services. Now, a group of international hackers who view themselves as vigilantes have breached Silicon Valley-startup Verkada Inc. This gave the hackers access to the live feeds of 150,000 surveillance cameras installed in numerous businesses and organizations.
Today, the hacker group went public, explaining that they had footage from Tesla, Cloudflare Inc., and many other high-profile organizations. Moreover, the hackers accessed footage from “inside women’s health clinics, psychiatric hospitals and the offices of Verkada itself.” One video even showed footage from inside Florida-hospital Halifax Health in which eight hospital workers tackled a man and pinned him to a bed.
Another video was filmed inside a Tesla warehouse in Shanghai, which showed workers on the assembly line. The hackers gained access to 222 other Tesla factory and warehouse cameras. The reason for hacking these companies and organizations was “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism -- and it’s also just too much fun not to do it,” according to hacker Tillie Kottman.
Kottman also explained that the group of hackers, dubbed “Advanced Persistent Threat 69420,” obtained root access on the cameras without much work, meaning they effectively had free rein over the system. This access level was achieved using a “Super Admin” account found on the internet. This could allow data exfiltration or a pivot point to access other systems within Verkada customers’ systems. Thankfully, the hackers only intent seemed to be raising awareness of wide-scale surveillance. We reached out to Kottman and they provided direct verification of the compromised assets. Kottman also explained to Bloomberg that the hack "exposes just how broadly we’re being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit.”
Since the attack went public, Verkada has disabled internal administrator accounts to prevent unauthorized access and is simultaneously “investigating the scale and scope of this potential issue.” The company is working to notify customers who may have impacted by the breach. We have included a short list of companies and organizations not included in the above spreadsheet:
- Sandy Hook Elementary School - Newtown, Connecticut
- Madison County Jail - Huntsville, Alabama
- Luxury gym Equinox
- Wadley Regional Medical Center - Texarkana, Texas
- All other Verkada customers (listed in spreadsheet snipped above.)