Verkada’s systems were recently broken by a ‘hacktivist’ collective that gained access to more than 150,000 of the company’s cameras, in locations ranging from Tesla factories to police stations, gyms, schools, prisons and hospitals. The group, calling itself Advanced Persistent Threat 69420, obtained online credentials for Verkada’s ‘Super Admin’ accounts. They announced their findings, say they are motivated by ‘a lot of curiosity, a struggle for freedom of information and against intellectual property, a large dose of anti-capitalism, a hint of anarchism – and it’s just too nice not to do that.’
Now anonymous employees of Verkada say that the same “Super Admin” accounts that the hackers visit are also widely shared in the company. More than 100 employees have Super Admin privileges, reported Bloomberg, which means that these individuals can browse the direct import of tens of thousands of cameras around the world at any time. “We literally had 20-year-old interns who had access to more than 100,000 cameras and could see all their feeds worldwide,” one former senior employee told the publication.
Verkada meanwhile says that access is limited to employees who had to solve technical problems or handle complaints from users. “Verkada’s training program and employee policies are both clear that support staff needed and needed the client’s explicit consent before they could access the client’s video stream,” the Silicon Valley firm said in a statement to Bloomberg.
The Washington Posthowever, cites the testimony of observational researcher Charles Rollet, who says that people with good knowledge of the company informed him that Verkada employees could access feeds without the customers knowing. “People do not realize what is happening on the back end, and they assume that there are always these super-formal processes regarding access to footage, and that the company will always have to give express permission,” Rollet said. But this is clearly not always the case. ”
Another former employee told Bloomberg that although Verkada’s internal systems asked workers to explain why they were accessing a customer’s camera, this documentation was not taken seriously. “No one cares to check the stumps,” the employee said. ‘You can put anything you want in the note; you can even enter just a single space. ‘
Verkada’s cloud-based cameras have been sold to customers based in part on their analytics software. One feature called “People Analytics” allows customers to “search and filter based on many different attributes, including gender attributes, color and even a person’s face,” Verkada said in a statement. blogpos. Their cloud-based systems that give customers easy access to their cameras have also made the breach possible.
The hacker collective Advanced Persistent Threat 69420 (the name is a nod to the taxonomy used by cyber security companies to catalog state-sponsored hackers in combination with meme numbers 69 and 420) says they want to inform the public about the dangers of such ubiquitous surveillance. The offense “reveals how broadly we are being investigated and how little care is being taken to secure at least the platforms used for this, and to pursue nothing but profit,” said one member of the group. Bloomberg. “It’s just wild how I can just see the things happen that we always know, but we’ve never seen.