Verkada Mass Hack

By John Honovich, Published Mar 09, 2021, 05:41pm EST

Verkada has suffered a massive hack, according to Bloomberg, of all ~150,000 of the company's cameras.

IPVM Image

Worse, the hacker told Bloomberg they were "able to obtain 'root' access on the cameras" including "to pivot and obtain access to the broader corporate network of Verkada’s customers."

[UPDATE: Verkada Gave Various Employees Access To Any Camera Without Telling Customers, IPVM confirmed with the hacker and from an individual with direct knowledge of this functionality.]

On the positive side for Verkada, Verkada locks in its customers so it is not possible for Verkada customers to switch or to disconnect them from Verkada's servers without throwing Verkada cameras away.

Moreover, many Verkada customers pre-pay their annual subscriptions years in advance, and such payments are non-refundable and non-transferrable, so switching would incur further losses.

Beyond the obvious risk to Verkada's customers, this is awkward for Verkada considering Verkada has attacked and demeaned its competitor's cybersecurity, e.g. against ONVIF:

Moreover, Verkada has attacked NVR and IP camera cybersecurity, e.g., this sales recruiting presentation:

Join IPVM Newsletter?

IPVM is the #1 authority in video surveillance news, in-depth tests, and training courses. Get emails, once a day, Monday to Friday.

But when people list us and when they talk about us, they refer to us as the cybersecurity company. And that's the important part. It's like 15% of every IoT hack is done through your camera system today.

After today, Verkada will be certainly less well known as 'the cybersecurity company.'

Particularly alarming, per Bloomberg, was that:

The hackers’ methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet. [emphasis added]

Cloud-managed video surveillance presents advantages and disadvantages for hacking.

On the advantageous side, Verkada was able to immediately block access to this specific hack across all cameras (until the next vulnerability is discovered, etc.). With non-cloud systems (recall the 2017 mass Dahua hacking), the manufacturer has to push firmware to each user and hope they upgrade over weeks or months (or never).

The disadvantage is that when a hacker hacks a cloud-managed video surveillance provider, they get access to all the customers immediately. In this case, it was Tesla, 30 Fortune 500 companies, hundreds of government entities, etc. Worse, they then have internal access to those networks, risking further attacks.

While Verkada will likely emphasize that they fixed it, it will at least present significant headwinds to the company that has been hiring at an unprecedented rate, e.g. per LinkedIn:

IPVM Image

Verkada has prioritized sales expansion over growing the engineering team, with 150% more salespeople than engineers and almost half the entire company in sales, per LinkedIn:

IPVM Image

This might present an opportunity for Verkada to focus more on engineering, though ambitious sales targets may suffer.

See other recent Verkada IPVM coverage:

UPDATE: Verkada has sent an email to customers:

IPVM Image

The most notable element disclosed was about an internal admin account being used:

suspending all internal admin accounts, one of which was allegedly used to gain access

The link to the Security Update has just 3 paragraphs, a subset of what is in this email.

UPDATE March 10: Verkada has a new Security Update with more technical details:

The attack targeted a Jenkins server used by our support team to perform bulk maintenance operations on customer cameras, such as adjusting camera image settings upon customer request. We believe the attackers gained access to this server on March 7, 2021 and maintained access until approximately noon PST on March 9, 2021. In gaining access to the server, the attackers obtained credentials that allowed them to bypass our authorization system, including two-factor authentication.

UPDATE: SIW published an explanation from the hackers about how they exploited the Jenkins server:

“We found super admin credentials in a python script on a publicly exposed Veracode Jenkins Plugin on the Verkada server, which allowed us to log in to their web app with super admin privileges,” Kottman explains, displaying the actual screenshot of the group’s exploits attached to an email that was sent to SIW. “We did not exploit any flaws or vulnerabilities. The cameras have a built-in maintenance backdoor, which allows anyone with super admin privileges to access a root shell on any camera of any customer at the click of a button.”

UPDATE: Multiple Verkada employees are telling people that the leaked credentials were from a "disgruntled" employee, whether this is true is unclear but that's the messaging coming out of San Mateo in the past day, according to IPVM sources.

24 reports cite this report:

Verkada's Sex Offender Screening Examined on May 03, 2022
Verkada is offering sex offender screening in its visitor management system....
Favorite VSaaS Providers 2022 on Mar 09, 2022
With VSaaS growing and becoming increasingly mainstream, who are integrator's...
Axis Postmortem And Answers on Cyberattack on Feb 28, 2022
After a cyberattack resulted in many Axis services being offline for a week,...
Cybersecurity for IP Video Surveillance Guide on Jan 24, 2022
Keeping surveillance networks secure can be a formidable task, but there are...
2022 Video Surveillance Cameras State of the Market on Jan 04, 2022
Each year, IPVM explains the main advances and changes for video surveillance...
Top Manufacturers Gaining and Losing 2021 on Nov 30, 2021
2021 has been a tumultuous year with massive VC funding and growing...
VMS and VSaaS Architecture Guide on Aug 19, 2021
While VMS and NVRs are the most common choice for new surveillance projects,...
Verkada False And Manipulative Facial Recognition Strategy on Aug 16, 2021
Verkada is falsely and manipulatively alleging its facial recognition is "not...
Avigilon Sues Verkada, Seeks Ban of Importing Verkada Cameras To The USA on Aug 10, 2021
Avigilon has filed a complaint with the US International Trade Commission...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on Jul 29, 2021
Cybersecurity vulnerabilities have escalated over the past few years and...
Zero Trust Security And Video Surveillance on Jul 07, 2021
Designing "Zero Trust" IP networks is a cybersecurity trend, but what does it...
VMS/VSaaS Recording Guide on Jun 10, 2021
This 23-page guide provides an in-depth explanation of VMS/VSaaS recording,...
GDPR Enforcement Against Video Surveillance - 79 Fines Analyzed on Jun 07, 2021
The arrival of the GDPR three years ago raised fears in European video...
JCI Runs Anti-Verkada Campaign on Jun 02, 2021
Security giant JCI / Tyco is running a half-million-dollar campaign targeting...
Verkada Favorability Statistics 2021 on May 06, 2021
Verkada's integrator favorability was already negative in 2019, but how have...
Video Analytics Manufacturer Performance Guide on May 04, 2021
This 25-page guide provides a reference for video surveillance analytic...
Qumulex Favorability Statistics 2021 on Apr 27, 2021
Cloud startup Qumulex, started by Exacq's founders, is aiming to provide an...
Verkada's Unethical Culture Results From Chairman Hans Robertson's Recipe on Apr 12, 2021
Verkada's unethical culture is a result of Verkada's Executive Chairman Han...
Ubiquiti 'Catastrophic' Data Breach on Mar 31, 2021
Ubiquiti has grown to be a major networking supplier, growing strongly in...
Verkada Revokes Global Admin Access To Cameras, Says Requiring 2FA 'Excellent Suggestion' on Mar 25, 2021
Verkada's CEO confirmed yesterday that they revoked 'global admin access' to...
China State Media Exposes Illegal Commercial Facial Recognition Use on Mar 22, 2021
There has been increasing debate and scrutiny about facial recognition in the...
False Verkada HIPAA Compliance And Legal Risks Investigated on Mar 18, 2021
Verkada has repeatedly and falsely claimed to be certified HIPAA Compliant,...
Verkada: "Money is Everything" on Mar 16, 2021
Verkada's sales organization has a regular meeting titled "Money is...
Verkada Gave Various Employees Access To Any Camera Without Telling Customers on Mar 10, 2021
Various employees across Verkada used 'Super Admin' privileges to view any...
Comments (218) : Subscribers only. Login. or Join.
Loading Related Reports