The Verkada Hack
Verkada Inc., a cloud-based security camera provider, suffered a major security breach when hackers gained access to over 150,000 of the company’s cameras inside hospitals, jails, police stations, schools, gyms, warehouses, and factories. Hackers exposed camera footage and live video feeds of various Verkada customers, including Tesla, Cloudflare, Halifax Health Equinox, and many more. Hackers also claimed that they gained access to the full video archive of Verkada’s customers.
Verkada takes pride in offering internet-connected security cameras with a slick web interface that provides best-in-class security to enterprises. The security breach of Verkada cameras raised doubts about the capabilities of access control systems implemented by medium to large-scale organizations across the world.
This article provides an overview of why Verkada was hacked and the steps organizations should take to protect their systems.
How Hackers Accomplished the Attack
The hack was straightforward. A few members of the International Hacker Collective managed to gain ‘Super Admin’ access to Verkada System through administrator account credentials (username and password) they found online. The super admin rights gave them access to all the surveillance cameras of Verkada and its clients.
A spokesperson from Verkada confirmed that hackers accomplished the attack via a Jenkins Server used by the company’s IT support team that regularly conducts maintenance operations on clients’ surveillance cameras.
Tillie Kottmann and His Motives
Tillie Kottmann was the person behind the Verkada hack. Kottman is a Swiss hacker and a member of the International Hacker Collective “APT-69420 Arson Cats.” She is also known for data breaches at Intel in August 2020 and Nissan Motors in January 2021.
The motive behind this hack was to show the fragility of various large-scale organizations’ security systems, including Verkada, which claims itself as a game-changer in the security environment. Kottmann, in a Bloomberg interview, said that the reasons for hacking are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”
The Issues This Data Breach Exposes
Though this hack did not do any harm to the physical and digital assets of Verkada’s clients, it provided a sobering reminder to many including security firms, enterprises, hospitals and property managers that poorly managed access control systems and compromised super admin credentials can make security vulnerable to hacking.
Super admin privileges were too commonplace
A super administrator is a user who has access to everything within a system. Super admin accounts can add, activate, deactivate, and remove users, groups, and other super administrators. If super admin details are commonplace, the security system will become vulnerable to physical and cybersecurity threats.
The Verkada incident reflected the truth behind how super admin privileges get abused by people within an organization, knowingly or unknowingly. A report from IPVM highlighted that super admin credentials, when available to many team members, become vulnerable to breaches. IPVM’s report also stated that every team member at Verkada, including executives, had super admin privileges.
Many cloud-based security providers create a “global admin” account to give customer support teams access to customer security systems. This is to increase convenience for the customer support teams. From the safety point of view, this is a bad practice.
“The whole idea of having ‘global admin access’ for your Customer Support team to access all of your customers’ accounts is insane,” stated Mishit Patel, Head of Technology at Genea. “Let your customer decide who can have access to their system.”
Filip Kaliszan, CEO of Verkada confirmed that the organization revoked global admin access to cameras after drawing the criticism that the organization gave Verkada employees access to customer cameras without telling the same to customers.
Access control needed to be better
The Verkada hack exposes the need for better access control systems. Access control aims to minimize the risk of unauthorized access to the systems at the workplace.
At the basic level, a robust access control system should restrict unauthorized entry into building premises. A few common physical control mechanisms are cloud-based access control, video management, physical key fobs, mobile keys, door sensors, Internet of Things (IoT) devices, facial recognition tools, and visitor management systems. For instance, integrated access control and video surveillance tools trigger a notification to internal security teams when unauthorized door access events occur anywhere on the building premises.
At an advanced level, an access control system should restrict unauthorized people from accessing sensitive data. IT teams should adopt advanced tools or techniques such as identity management, role-based access permissions, user-based access permissions, and multi-factor authentication to reduce the risk of cyberattacks.
How to Defend Yourself Against Data Breaches
Several mechanisms, including The Principle of Least Privilege (POLP) and two-factor authentication (2FA), can help to defend against data breaches like Verkada.
The Principle of Least Privilege (POLP)
POLP is a widely accepted access control philosophy that emphasizes a user having bare minimum privileges to perform a function. For instance, a user who just needs to download files from a database does not need admin privileges. In an IT environment, POLP reduces the risk of attackers gaining access to sensitive data through a compromised low-level account or a device.
An organization can implement the POLP mechanism through the following steps:
- Conduct privilege audits to check if all users have the necessary permissions to perform their day-to-day tasks.
- Compartmentalize all account privileges and segment them into admin accounts, executive accounts, standard accounts, and more.
- Remove additional access privileges to all the users if there are any.
- Create one-time privileges that expire immediately after the user completes an action.
- Use time-restricted features while granting access to users. For example, users may not be able to gain access to a system until they fill out a form or enter a one-time password.
Two-Factor Authentication (2FA)
Two-factor authentication (2FA) is a security mechanism that verifies a user twice before granting access to a specific system. One of the widely used 2FA methods is a combination of username/password and one-time password (OTP). Advanced access control systems use authentication factors such as facial recognition, retina patterns, and fingerprints to ensure an authorized person logs into a system.
If Verkada security cameras had a multifactor authentication in place, it would have been impossible for hackers to accomplish this attack. While revoking the global admin access, Verkada’s CEO acknowledged the importance of having two-factor authentication or multi-factor authentication as an access control mechanism.
Tighten Up Your Physical Access Control with Genea
The Verkada hack wouldn’t have happened if the organization had adopted advanced access control techniques, identity management, role-based access permissions, user-based access permissions, POLP, and multi-factor authentication. Organizations should also implement a robust physical access control system that supports the integration of video management tools, door sensors, facial recognition tools, and visitor management systems to improve workplace security.
Genea’s innovative technologies help organizations enhance both physical and logical access control. It offers solutions such as cloud-based access control, building access control, mobile access control, visitor management systems, and robust API integrations for video management, single sign-on, and critical event management to streamline security operations.
Learn how Genea’s cutting-edge technologies can help protect from both internal and external threats.