Verkada Mass Hack
Verkada has suffered a massive hack, according to Bloomberg, of all ~150,000 of the company's cameras.
Worse, the hacker told Bloomberg they were "able to obtain 'root' access on the cameras" including "to pivot and obtain access to the broader corporate network of Verkada’s customers."
[UPDATE: Verkada Gave Various Employees Access To Any Camera Without Telling Customers, IPVM confirmed with the hacker and from an individual with direct knowledge of this functionality.]
On the positive side for Verkada, Verkada locks in its customers so it is not possible for Verkada customers to switch or to disconnect them from Verkada's servers without throwing Verkada cameras away.
Moreover, many Verkada customers pre-pay their annual subscriptions years in advance, and such payments are non-refundable and non-transferrable, so switching would incur further losses.
Beyond the obvious risk to Verkada's customers, this is awkward for Verkada considering Verkada has attacked and demeaned its competitor's cybersecurity, e.g. against ONVIF:
Moreover, Verkada has attacked NVR and IP camera cybersecurity, e.g., this sales recruiting presentation:
But when people list us and when they talk about us, they refer to us as the cybersecurity company. And that's the important part. It's like 15% of every IoT hack is done through your camera system today.
After today, Verkada will be certainly less well known as 'the cybersecurity company.'
Particularly alarming, per Bloomberg, was that:
The hackers’ methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet. [emphasis added]
Cloud-managed video surveillance presents advantages and disadvantages for hacking.
On the advantageous side, Verkada was able to immediately block access to this specific hack across all cameras (until the next vulnerability is discovered, etc.). With non-cloud systems (recall the 2017 mass Dahua hacking), the manufacturer has to push firmware to each user and hope they upgrade over weeks or months (or never).
The disadvantage is that when a hacker hacks a cloud-managed video surveillance provider, they get access to all the customers immediately. In this case, it was Tesla, 30 Fortune 500 companies, hundreds of government entities, etc. Worse, they then have internal access to those networks, risking further attacks.
While Verkada will likely emphasize that they fixed it, it will at least present significant headwinds to the company that has been hiring at an unprecedented rate, e.g. per LinkedIn:
Verkada has prioritized sales expansion over growing the engineering team, with 150% more salespeople than engineers and almost half the entire company in sales, per LinkedIn:
This might present an opportunity for Verkada to focus more on engineering, though ambitious sales targets may suffer.
See other recent Verkada IPVM coverage:
- Verkada Access Control Tested
- Verkada Access Reader Tested (AD31)
- Verkada SV11 Environmental Sensor Tested
- Man Convicted for $11 Million Fraud Touts Verkada Partnership
- Verkada Spiffs Security Integrator Salespeople
- Verkada Fires 3
UPDATE: Verkada has sent an email to customers:
The most notable element disclosed was about an internal admin account being used:
suspending all internal admin accounts, one of which was allegedly used to gain access
The link to the Security Update has just 3 paragraphs, a subset of what is in this email.
UPDATE March 10: Verkada has a new Security Update with more technical details:
The attack targeted a Jenkins server used by our support team to perform bulk maintenance operations on customer cameras, such as adjusting camera image settings upon customer request. We believe the attackers gained access to this server on March 7, 2021 and maintained access until approximately noon PST on March 9, 2021. In gaining access to the server, the attackers obtained credentials that allowed them to bypass our authorization system, including two-factor authentication.
UPDATE: SIW published an explanation from the hackers about how they exploited the Jenkins server:
“We found super admin credentials in a python script on a publicly exposed Veracode Jenkins Plugin on the Verkada server, which allowed us to log in to their web app with super admin privileges,” Kottman explains, displaying the actual screenshot of the group’s exploits attached to an email that was sent to SIW. “We did not exploit any flaws or vulnerabilities. The cameras have a built-in maintenance backdoor, which allows anyone with super admin privileges to access a root shell on any camera of any customer at the click of a button.”
UPDATE: Multiple Verkada employees are telling people that the leaked credentials were from a "disgruntled" employee, whether this is true is unclear but that's the messaging coming out of San Mateo in the past day, according to IPVM sources.