CCTV operation screen of Verkada software.

The cloud based CCTV company, Verkada, claimed better security be removing the NVR (Network Video Recorder) from the system. The NVR (or DVR, Digital Video Recorder) was seen by them as a central point of failure. All camera recordings in such systems were typically stored on a hard drive within the NVR or DVR. They opted, instead, to have their cameras do all the video storage within each camera, eliminating the NVR, then using online access for any viewing of the cameras that would be necessary.

While the individual cameras may have had secure credentials and encryption, they didn’t count on a leak of their own high level log-in details for a Verkada “Super Admin” account.

A Swiss based hacker, Tillie Kottmann, said that his loosely organized group of fewer than 10 hackers had stumbled on the Verkada credentials that had been exposed on the Web.

Once inside Verkada’s network, Kottmann said the team was stunned by how much real-time video they could watch — and how many internal features they could access. The company’s centralized software made it easy for the team to access a vast network of sensitive surveillance cameras with only a few clicks.

An empty classroom as seen by one of the 149,000 cameras exposed in the Verkada breach. (Courtesy of Tillie Kottmann)

The hackers gained access on Monday, March 9, and were able to view real-time footage and watch the full collection of customers’ saved videos, Kottmann said. The company was alerted by Bloomberg News and closed the breach the following day.

“It still feels incredibly surreal the amount of foothold I was able to gain from this,” Kottmann said. “That’s the irony of this whole thing: All the cool features they provide for security are exactly why everything broke.”

Verkada reports what the incident entailed:

The attack targeted a Jenkins server used by our support team to perform bulk maintenance operations on customer cameras, such as adjusting camera image settings upon customer request. We believe the attackers gained access to this server on March 7, 2021 and maintained access until approximately noon PST on March 9, 2021. In gaining access to the server, the attackers obtained credentials that allowed them to bypass our authorization system, including two-factor authentication.

Consider what Verkada claims was obtained by the hackers:

  • Video and image data from a limited number of cameras from a subset of client organizations
  • A list of our client account administrators, including names and email addresses. This list did not include passwords or password hashes.
  • A list of Verkada sales orders. Sales order information is used by our Command system to maintain the license state of our customers. This information was obtained from our Command system and not from other Verkada business systems.

What was not compromised:

  • User passwords or password hashes
  • Verkada’s internal network, financial systems, or other business systems

Still a very serious concern!

An important lesson from this is that security is never 100%. Implementation of security measures in one area may just move the target to another area.

Addendum: An interesting observation was made by an ASIS colleague.  He looked at the leadership team at Verkada and realized that while they all had background in software and technology, none of them had any experience in the security field. They had all of their eggs in one basket, but apparently did not protect that basket enough. Implementation of security often requires thinking “outside the box” and considering all vulnerabilities, threats and risks.

 

Read more at Bloomberg  and the Washington Post

Verkada has posted a response to the incident on their website, available here:

https://www.verkada.com/security-update/