Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals
A group of hackers say they breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc., gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools. Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals
Companies whose footage was exposed include carmaker Tesla Inc. and software provider Cloudflare Inc. In addition, hackers were able to view video from inside women’s health clinics, psychiatric hospitals and the offices of Verkada itself. Some of the cameras, including in hospitals, use facial-recognition technology to identify and categorize people captured on the footage. The hackers say they also have access to the full video archive of all Verkada customers.
In a video seen by Bloomberg, a Verkada camera inside Florida hospital Halifax Health showed what appeared to be eight hospital staffers tackling a man and pinning him to a bed. Halifax Health is featured on Verkada’s public-facing website in a case study entitled: “How a Florida Healthcare Provider Easily Updated and Deployed a Scalable HIPAA Compliant Security System.”
Another video, shot inside a Tesla warehouse in Shanghai, shows workers on an assembly line. The hackers said they obtained access to 222 cameras in Tesla factories and warehouses.
The data breach was carried out by an international hacker collective and intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into, said Tillie Kottmann, one of the hackers who claimed credit for breaching San Mateo, California-based Verkada.
Kottmann, who uses they/them pronouns, previously claimed credit for hacking chipmaker Intel Corp. and carmaker Nissan Motor Co. Kottmann said their reasons for hacking are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”
“We have disabled all internal administrator accounts to prevent any unauthorized access,” a Verkada spokesperson said in a statement. “Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”
A person with knowledge of the matter said Verkada’s chief information security officer, an internal team and an external security firm are investigating the incident. The company is working to notify customers and set up a support line to address questions, said the person, who requested anonymity to discuss an ongoing investigation.
“This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised,” San Francisco-based Cloudflare said in a statement.
“The cameras were located in a handful of offices that have been officially closed for several months.” The company said it disabled the cameras and disconnected them from office networks.
Representatives of Tesla and other companies identified in this story didn’t immediately respond to requests for comment. Representatives of the jails, hospitals and schools named in this article either declined to comment or didn’t immediately respond to requests for comment.
A video seen by Bloomberg shows officers in a police station in Stoughton, Massachusetts, questioning a man in handcuffs. The hackers say they also gained access to the security cameras of Sandy Hook Elementary School in Newtown, Connecticut, where a gunman killed more than 20 people in 2012.
Also available to the hackers were 330 security cameras inside the Madison County Jail in Huntsville, Alabama. Verkada offers a feature called “People Analytics,” which lets a customer “search and filter based on many different attributes, including gender traits, clothing color, and even a person’s face,” according to a Verkada blog post.
Images seen by Bloomberg show that the cameras inside the jail, some of which are hidden inside vents, thermostats and defibrillators, track inmates and correctional staff using the facial-recognition technology.
The hackers say they were able to access live feeds and archived video, in some cases including audio, of interviews between police officers and criminal suspects, all in the high-definition resolution known as 4K.
Kottmann said their group was able to obtain “root” access on the cameras, meaning they could use the cameras to execute their own code. That access could, in some instances, allow them to pivot and obtain access to the broader corporate network of Verkada’s customers, or hijack the cameras and use them as a platform to launch future hacks.
Obtaining this degree of access to the camera didn’t require any additional hacking, as it was a built-in feature, Kottmann said.
The hackers’ methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet. After Bloomberg contacted Verkada, the hackers lost access to the video feeds and archives, Kottmann said.
The hackers say they were able to peer into multiple locations of the luxury gym chain Equinox. At Wadley Regional Medical Center, a hospital in Texarkana, Texas, hackers say they looked through Verkada cameras pointed at nine ICU beds. Hackers also say they watched cameras at Tempe St. Luke’s Hospital, in Arizona, and were also able to see a detailed record of who used Verkada access control cards to open certain doors, and when they did so. A representative of Wadley declined to comment.
The hack “exposes just how broadly we’re being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit,” Kottmann said. “It’s just wild how I can just see the things we always knew are happening, but we never got to see.” Kottman said they gained access to Verkada’s system on Monday morning.
Verkada, founded in 2016, sells security cameras that customers can access and manage through the web. In January 2020, it raised $80 million in venture capital funding, valuing the company at $1.6 billion. Among the investors was Sequoia Capital, one of Silicon Valley’s oldest firms.
Kottmann calls the hacking collective “Advanced Persistent Threat 69420,” a light-hearted reference to the designations cybersecurity firms give to state sponsored hacking groups and criminal cybergangs.
In October 2020, Verkada fired three employees after reports surfaced that workers had used its cameras to take pictures of female colleagues inside the Verkada office and make sexually explicit jokes about them. Verkada CEO Filip Kaliszan said in a statement to Vice at the time that the company “terminated the three individuals who instigated this incident, engaged in egregious behavior targeting coworkers, or neglected to report the behavior despite their obligations as managers.”
Jails, Homes, Offices
Kottmann said they were able to download the entire list of thousands of Verkada customers, as well as the company’s balance sheet, which lists assets and liabilities. As a closely held company, Verkada does not publish its financial statements. Kottman said hackers watched through the camera of a Verkada employee who had set one of the cameras up inside his home. One of the saved clips from the camera shows the employee completing a puzzle with his family.
“If you are a company who has purchased this network of cameras and you are putting them in sensitive places, you may not have the expectation that in addition to being watched by your security team that there is some admin at the camera company who is also watching,” said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, who was briefed on the breach by Bloomberg.
Inside Arizona’s Graham County detention facility, which has 17 cameras, videos are given titles by the center’s staff and saved to a Verkada account. One video, filmed in the “Commons Area,” is titled “ROUNDHOUSE KICK OOPSIE.”
A video filed inside the “Rear Cell Block” is called “SELLERS SNIFFING/KISSING WILLARD???” Another video, filmed inside “Drunk Tank Exterior” is titled “AUTUMN BUMPS HIS OWN HEAD.” Two videos filmed from “Back Cell” are titled “STARE OFF – DONT BLINK!” and “LANCASTER LOSES BLANKET.”
The hackers also obtained access to Verkada cameras in Cloudflare offices in San Francisco, Austin, London and New York. The cameras at Cloudflare’s headquarters rely on facial recognition, according to images seen by Bloomberg.
“While facial recognition is a beta feature that Verkada makes available to its customers, we have never actively used it nor do we plan to,” Cloudflare said in its statement.
Security cameras and facial-recognition technology are often used inside corporate offices and factories to protect proprietary information and guard against an insider threat, said the EFF’s Galperin.
“There are many legitimate reasons to have surveillance inside of a company,” Galperin added. “The most important part is to have the informed consent of your employees. Usually this is done inside the employee handbook, which no one reads.”
China’s Microsoft Hack, Russia’s SolarWinds Attack Threaten To Overwhelm U.S.
China’s global attack on Microsoft’s popular email software revealed last week and an equally sprawling Russian attack discovered three months ago have created a two-front war that threatens to overwhelm cybersecurity’s emergency responders, according to former U.S. officials and private security firms.
The coincidence of two far-reaching hacking campaigns launched by Russia and China, discovered just weeks apart, is now rippling across the global economy — swamping insurers, IT staff, and firms that specialize in hunting and ejecting hackers.
The twin hacking campaigns involve the U.S.’s two most powerful cyberspace adversaries, and both have led to emergency meetings of the White House National Security Council, in part because of the unusually wide net cast by the attackers.
But for the tens of thousands of companies that have been impacted by one or another of the attacks, the one-two punch has left them scrambling to secure their computer systems — in some cases from hackers who are piling on the original nation-state attacks.
“It’s a race,” said Tom Burt, Microsoft’s corporate vice president for customer security & trust. “Since the time we went public with the update’s availability, we’ve seen the number of compromised customers just explode. It went up incredibly rapidly and continues to increase.”
Microsoft Corp. disclosed on March 2 that suspected Chinese state-sponsored hackers were exploiting four previously unknown vulnerabilities in the company’s widely used Exchange business email software and issued a patch for those systems.
Since that disclosure, other hackers have used automated programs to scan the internet, in some cases looking for companies that have yet to install the fix. Some of those are criminal groups trying to re-purpose secret entry points that China installed in its numerous victims, according to cybersecurity companies monitoring the aftermath.
The close proximity of the Chinese and Russian attacks may not be a coincidence, security experts say. China may have timed its effort to take advantage of the distraction created by the Russian hack, which impacted as many as 18,000 customers of the Texas-based software maker SolarWinds Corp., including key government agencies.
“The attack on Microsoft Exchange is a cold and calculated assault,” said Lior Div, co-founder and chief executive officer of Cybereason, a Boston-based security company. “The Chinese attackers know exactly what they are doing. The new administration has been distracted by investigations into another U.S. adversary on the cyber battlefield – Russia – and its calculated breach against SolarWinds.”
A White House spokesperson said Monday that high-level members of President Joe Biden’s National Security Council worked through the weekend responding to the latest incident. And the U.S. Cybersecurity and Infrastructure Security Agency in an emergency advisory Monday described hackers’ exploitation of the flaws in Microsoft’s email product as now “widespread and indiscriminate.”
For months before they were caught in December, Russian state hackers used altered SolarWinds software to spy on at least nine U.S. government agencies and hundreds of companies. China’s hack has already claimed 60,000 victims globally, Bloomberg reported on Saturday, though some estimates have put the number of Exchange servers that could be vulnerable to infection at close to 300,000 worldwide.
“I can’t think of an equivalent breach,” Alex Stamos, a cybersecurity consultant and the former head of security at Facebook Inc., said of the Chinese attack. “It’s a combination of the kind of mass-exploitation you often see with unpatched home routers, but instead of crypto-miners who are having no impact, these attackers are able to get all an organization’s email.”
One victim of the most recent attack is the European Banking Authority, which said Monday that it had shut down its email systems while it carried out an investigation into a “cyberattack” on its Microsoft Exchange servers. Radu Burghelea, head of information technology, confirmed in a message to Bloomberg that the organization had discovered malicious software on the servers but not yet detected the theft of any emails from them.
The tactics used by China in particular leave victims vulnerable to other hackers. Victims could have their IT systems locked up by ransomware gangs, the personal information of their customers and employees stolen and sold to identity thieves, or their computers used to attack others.
“Currently, most of what we have observed has been automated scanning and reconnaissance,” said Mat Gangwer, a senior director of managed threat response for Sophos Ltd., a British cybersecurity company.
“The real question will be, are these organizations able to patch, assess and clean their environments before more harmful actors, such as ransomware groups, begin leveraging” the malicious code that’s been installed on the servers, he added.
That job will fall to specialized security firms and in-house IT staff that are already exhausted from weeks of fighting off Russia’s sprawling and sophisticated attack.
“What makes it even harder is that defenders are experiencing successive waves of attacks, and many have not been able to restore their environments to a safe operating condition, even though things may ‘seem’ normal,” said Michael Henry, chief executive officer of Texas-based Arbala Security Inc., describing his work with clients dealing with back-to-back issues of SolarWinds and now the Exchange server vulnerabilities.
In the most recent incident, companies can install the patch issued last week by Microsoft, but that doesn’t mean the hackers will be gone. In some cases, specialized teams will need to scour the infected computer systems, looking for hidden entry points planted by the hackers in order to shut them out.
FireEye Inc., a large U.S. cybersecurity firm, is now responding to dozens of cases in the U.S., Europe and Asia in attacks involving the flawed Microsoft code. Still, with not enough experts available from FireEye and other firms, the impact of the latest wave of attacks could linger for weeks or even months.
“There will be backdoors sitting on Exchange servers for quite a while,” said Charles Carmakal, senior vice president at FireEye.
Russian Accused Of Tesla Hack Plot Pleads Guilty In Nevada
A Russian national charged with plotting a cyberattack on Tesla Inc. pleaded guilty.
Egor Igorevich Kriuchkov, who was accused of trying to recruit an employee at a unidentified company to introduce malware in the electric car-maker’s computer system, admitted Thursday to conspiring to intentionally cause damage to a protected computer. He entered his plea during a video hearing in Nevada federal court.
Tesla Chief Executive Officer Elon Musk had tweeted in August, a few days after Kriuchkov’s arrest, that “this was a serious attack.”
Kriuchkov promised the employee he would get $1 million after the malware was introduced into the computer network, according to the Justice Department.
Swiss Hacker’s Indictment Spotlights Ethics of Activist Attacks
The indictment of a 21-year-old Swiss hacker who claimed credit for exposing the flaws in a surveillance camera company’s system is likely to stir debate about whether attacks by activists for social or political causes are criminal behavior.
Tillie Kottmann, who uses they/them pronouns, was indicted Thursday in Seattle and charged with crimes including wire fraud and identity theft. Kottmann made headlines last week when they claimed credit for gaining access to the 150,000 security cameras sold by San Mateo, California-based Verkada Inc. While the charges don’t involve the Verkada incident, Kottmann previously said they hacked Nissan Motor Co., and leaked documents from chipmaker Intel Corp.
Kottmann, in a previous interview, said their hacking is inspired by an anti-intellectual property and anti-capitalist world view.
For decades, underground hackers have pushed the limits of the law under the banner of “hacktivism,” pursuing a variety of leftist and anti-authoritarian ideals. In some cases, the U.S. government has been overly aggressive in their prosecution of those hackers, said Gabriella Coleman, a professor at McGill University in Montreal who has extensively researched hacker culture.
“The hammer went down on hackers so heavily from the ’80s to the present, so the hacker community has this in mind,” Coleman said, adding she expects Kottmann to garner even more support in hacker circles following the indictment.
Coleman said the Verkada break-in may be viewed differently than the hacks included in the indictment because Kottmann spoke to a journalist to publicly expose the video cameras’ flaws.
“Some people would see that they did something in the public interest, and some of the escapades from prior were sort of useful hacking escapades,” Coleman said. “A lot of security researchers working for big name companies can identify with that, because their past was also about exploring these systems, and messing around, and sometimes messing up, as well.”
Prosecutors in Seattle, however, sharply rebuked the view that the hacks had any redeeming quality.
“Stealing credentials and data, and publishing source code and proprietary and sensitive information on the web is not protected speech — it is theft and fraud,” Acting U.S. Attorney Tessa Gorman said in a statement announcing Kottmann’s indictment. “Wrapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft, and fraud.”
The U.S. accused Kottmann of hacking dozens of companies and government agencies, and said Kottmann operated a website, called “git.rip,” that published the internal documents and source code of more than 100 entities.
The named victims include the state of Washington and the Washington Department of Transportation, as well as a microchip processor or manufacturer and a maker of tactical equipment.
According to an archive of the “git.rip,” website, it included leaks from the U.S. Air Force Research Laboratory, Toyota Motor Corp., Adobe Inc., General Electric Co., GitHub and more. The site now displays a message stating it has been seized by the Federal Bureau of Investigation.
Scott Nawrocki, a 21-year FBI veteran who investigated cybercases, said the charges against Kottmann are serious whatever the motivations.
“These kinds of individuals have to be held responsible,” said Nawrocki, now managing director of digital investigations and cyber defense at investigations firm Nardello & Co.. “Regardless of ideology, this is not white-hat hacking,” describing those who report computer bugs to companies so they can be fixed. “This is potentially inviting others to conduct hacking operations. To me, that’s criminal activity.”
Nawrocki said there probably would be efforts to extradite Kottmann, and the indictment could limit Kottmann’s travel outside Switzerland because U.S. allies would arrest them.
Swiss lawyer Roman Kost said it’s unlikely Kottmann will be sent to face criminal charges in the U.S., citing Swiss law that allows its citizens not to be extradited without their consent, but they may be punished inside Switzerland.
Swiss hackers “can be tried in Switzerland if there is sufficient suspicion and evidence, and if they are found guilty, they can be punished,” Kost said in an email.
Prosecutors allege that Kottmann sold hacking inspired merchandise, and that they sought contact from journalists in order to promote their data leaks and themselves. Kottman’s T-shirts included the phrases: “venture anticapitalist,” “no gender, only crime,” and “I would never do cybercrime.”
Kottmann, citing the advice of their lawyer, declined to comment on the indictment. Swiss lawyer Marcel Bosonnet confirmed he represents Kottmann, but declined to comment further. The Justice Department also declined to comment.
Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,Hackers Breach Thousands of,