Hacktivists claim to have successfully targeted a leading manufacturer of surveillance cameras, enabling them to access the live feeds of 150,000 cameras around the world, according to a new report.
The attack seems to have been the work of an international hacker collective which did it to highlight the privacy risks associated with pervasive monitoring, according to Bloomberg.
The camera maker, San Mateo-headquartered startup Verkada, said it had disabled all internal admin accounts to prevent unauthorized access.
“Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement,” it added in a statement sent to the news site.
The incident appears to be legitimate: Bloomberg said it had seen video feeds from inside Tesla factories and hospitals. The group claims to have access to Verkada’s entire video archive for all customers, which include women’s health clinics, psychiatric hospitals, jails and even the offices of Verkada itself.
Some of the cameras, such as those inside prisons, use facial recognition to track individuals, the report claimed.
The incident will be embarrassing for Verkada given the firm makes big play of its security credentials, claiming its system was designed to be “secure from the ground up.”
The hacktivists are said to have accessed the feeds through a pretty familiar route – they reportedly found logins for a privileged account exposed on the internet. This gave them root access to the cameras to execute their own code and, in some cases, obtain broader access to customer networks.
“While the Verkada website bolsters that they have a ‘Secure by Default’ methodology, it is clear that while we create devices with security in mind, what humans create typically has flaws,” argued Ordr CSO, Jeff Horne.
“Since the video system data can contain personally identifiable information (PII), company confidential information and personal health information (PHI), it is important that our security community band together to help Verkada, the impacted organizations and the individuals whose privacy was exploited.”