The video security and AI company Verkada was hacked, giving hackers access to more than 150,000 Internet-connected security cameras that were used in schools, prison cells, hospital ICUs and major companies such as Tesla, Nissan, Equifax, Cloudflare and others.
The hack was carried out by an anti-corporation hactivist group called APT-69420, based in Switzerland. According to the representative of the Till Kottmann group, they accessed the Verkada systems on March 8, and the hack lasted 36 hours. She described Verkada, a Silicon Valley-based startup, as a “fully centralized platform” that made it easier for his team to access and download footage from thousands of security cameras. The broadcast images seem to include important companies and institutions, but not private houses.
The videos and images are intended to capture a number of activities that could be sensitive, such as security videos on the production line of Tesla cars and a screenshot inside the security company Cloudflare. Some of the material is very personal, including videos of patients in the hospital’s intensive care units and inmates at Madison County Prison in Huntsville, Alabama.
Kottman described the security of Verkada systems as “non-existent and irresponsible” and said his group targeted the company to demonstrate how easy it is to access internet-connected cameras placed in highly sensitive locations.
Provided by Till Kottmann
Verkada said it notified its customers of the hack and that their security teams were working with an external security firm to investigate it. Verkada told CBS News: “We have disabled all internal administrator accounts to prevent unauthorized access. Our internal security team and external security firm are investigating the extent and scope of this issue and have notified law enforcement. ”
Provided by Till Kottmann
The FBI did not comment. CBS News contacted Tesla and Equifax, but they were not available for comment when this story was published.
Kottmann provided CBS News with a 5 gigabyte archive containing videos and images from the hack and described the attack as “non-technical” and not difficult to accomplish.
Provided by Till Kottmann
Kottmann said her group discovered a Verkada administrator username and password stored on an unencrypted subdomain. The company, she said, exposed an internal internet development system that contained encrypted credentials for a system account, which it said gave them full control over their “super administrator” system.
“We scan very large vectors for vulnerabilities. This was easy. I simply used their web application as any user would, except that I had the ability to switch to any desired user account. I did not access any server. We simply connected to their web user interface with an extremely privileged user [account]”Kottmann said.
Kottmann said her group of hackers is not motivated by money and is not sponsored by any country or organization. “APT-69420 is not supported by any nation or corporation, it is only supported by gay, fun and anarchy,” she said.
When asked if she feared the repercussions, Kottman replied, “Maybe I should be a little more paranoid, but at the same time what would change? I will be as targeted as I am now ”.