United States: Hackers breach CCTV cameras inside hospitals, companies, police departments, prisons and schools

A group of hackers breached security camera data collected by start-up firm Verkada Inc and gained access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools.

Hackers were able to view video from inside women’s health clinics, psychiatric hospitals and the offices of Tesla, Cloudflare and Verkada itself.

Some of the cameras, including in hospitals, use facial-recognition technology to identify and categorize people captured on the footage. The hackers say they also have access to the full video archive of all Verkada customers.

The data breach was carried out by an international hacker collective and intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into, said Tillie Kottmann, one of the hackers who claimed credit for breaching Verkada.

Kottmann previously claimed credit for hacking chipmaker Intel Corp. and carmaker Nissan Motor Co. Kottmann said their reasons for hacking are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”

“We have disabled all internal administrator accounts to prevent any unauthorized access,” a Verkada spokesperson said in a statement.

“Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”

Kottmann said their group was able to obtain “root” access on the cameras, meaning they could use the cameras to execute their own code. That access could, in some instances, allow them to pivot and obtain access to the broader corporate network of Verkada’s customers, or hijack the cameras and use them as a platform to launch future hacks. Obtaining this degree of access to the camera didn’t require any additional hacking, as it was a built-in feature, Kottmann said.

Kottmann says they found a user name and password for an administrator account publicly exposed on the internet.

Verkada, founded in 2016, sells security cameras that customers can access and manage through the web. In January 2020, it raised USD $80 million in venture capital funding, valuing the company at USD $1.6 billion. Among the investors was Sequoia Capital, one of Silicon Valley’s oldest firms.