Hackers who intend to draw attention to the dangers of mass surveillance have said they have managed to look into hospitals, schools, factories, prisons and corporate offices after breaking into security camera start-up systems.
California-based startup Verkada said Wednesday it was investigating the purpose of the breach, first reported by Bloomberg, and notified law enforcement and its customers.
Swiss hacker Tillie Kottmann, a member of the group called APT-69420 Arson Cats, described him in an online chat with The Associated Press as a small group of “primarily queer hackers who are not supported by any nation or capital,” but supported by the desire to have fun, to be gay and to a better world. ”
They were able to gain access to a Verkada “super” administrator account using valid credentials found online, Kottmann said. Verkada said in a statement that it has since disabled all internal administrator accounts to prevent any unauthorized access.
But for two days, hackers said, they were able to watch unhindered live streams from potentially tens of thousands of rooms, including many that were watching sensitive locations, such as hospitals and schools. Kottmann said it included outdoor and indoor rooms at Sandy Hook Elementary School in Newtown, Connecticut, where 26 first-graders and six educators were killed in 2012 by a gunman in one of the deadliest school shootings. from US history.
The school district superintendent did not return calls or email requests for comments Wednesday.
One of the customers affected by Verkada, the San Francisco-based infrastructure and web security company Cloudflare, said compromised Verkada cameras were tracking entrances and major access roads to some of its offices that had been closed for nearly a year due to the pandemic.
“As soon as we became aware of the compromise, we turned off the cameras and disconnected them from office networks,” said spokeswoman Laurel Toney. “No lawsuits or customer data were affected by this incident.”
Another San Francisco technology company, Okta, said five rooms it placed at office entrances had been compromised, although there was no evidence that anyone had seen the live streams.
Twitter said it had permanently suspended Kottmann’s account, which posted hacked material, for violating its rules against ban evasion, which usually happens when users start a new account to circumvent a previous suspension. Kottmann had earlier received a message from Twitter suspending the account for violating its rules against the distribution of pirated materials, the hacker said.
Verkada images captured and distributed by hackers included a Tesla facility in China and Madison County Prison in Huntsville, Alabama. Madison County Sheriff Kevin Turner said Wednesday in a statement that the prison took the cameras offline, adding that “we are confident that this unauthorized release has not affected and will not affect the safety of staff or detainees.” Tesla did not respond to requests for comment.
Verkada, based in San Mateo, California, has launched its cloud-based surveillance service as part of the next generation of workplace security. Its software detects when people are viewing the camera, and a “Person History” feature allows customers to recognize and track individual faces and other attributes, such as clothing color and likely gender. Not all customers use the facial recognition feature.
The company drew negative attention last year, when the IPVM video surveillance industry news site reported that Verkada employees passed around photos of co-workers collected by the company’s own cameras and made sexually explicit comments about them.
Cybersecurity expert Elisa Costante said she was concerned that this week’s hack was not sophisticated and simply involved using valid credentials to access a lot of data stored on a cloud server.
“What’s annoying is seeing how much real-life data can get into the wrong hands and how easy it can be,” said Costante, vice president of research at Forescout. “It’s a wake-up call to make sure that whenever you collect so much data, we need to have basic security hygiene.”
Kottmann said the hacker team, active since 2020, is not set for specific goals. Instead, it scans organizations on the Internet for known vulnerabilities and then works to “just narrow down and look for interesting goals.”