Skip to content

How a loophole in Verkada’s CCTVs exposed the working and situations of Tesla and top tier hospitals

Verkada, a cybersecurity startup, is now the victim of a bigger threat. With their ultra-secure CCTV’s now hacked and exposed

Businesses are constantly grappling with cybersecurity issues daily. Recent developments, the impact of a global pandemic, and cybersecurity statistics show a large rise in compromised and hacked data from various sources that are becoming more prevalent in the workplace, such as smartphones and IoT devices. (1) COVID-19 has also increased the number of remote workers, increasing the risk of cyberattacks. Furthermore, according to recent security reports, most enterprises have unprotected data and inadequate cybersecurity policies, leaving them vulnerable to data loss. Companies must incorporate cybersecurity awareness, prevention, and protection best practices to deter malicious intent as a part of culture effectively (2).

According to Nasdaq reports, the United States, the world’s largest economy with a nominal GDP of nearly 21.5 trillion dollars, accounts for one-fourth of the global economy. The United States has been affected so hard by cybercrime that an FBI supervisory special agent who investigates cyber intrusions told The Wall Street Journal in 2018 that every American citizen should assume that all of their data or personally identifiable information has been compromised and is on the dark web, which is intentionally concealed and used to hide and facilitate heinous activities. According to some figures, the deep web, which is not indexed or available by search engines, is 5,000 times greater than the surface web and at an unquantifiable pace. (3) Cybercriminals buy and sell malware, exploit kits, and cyberattack services on the dark web, which they use to hack companies, governments, utilities, and critical service providers on American soil. A cyberattack can cripple a city’s, state’s, or even our entire country’s economy.

The figures are staggering and terrifying. According to the FBI, the number of cyberattack complaints received by their Cyber Division has risen to as many as 4000 a day. That’s a 400 percent annual improvement from what they saw before the coronavirus. “An unprecedented rate of cyberattacks directed at large businesses, governments, and critical infrastructure,” according to Interpol. These attacks are directed at various companies, but large corporations, governments, and vital medical facilities have been especially targeted. The total numbers tell part of the tale about how many cyber-attacks there are (4).

Ransomware attacks, in which cybercriminals keep your computer data or network hostage before you pay a ransom, have been extremely successful during the pandemic. Hackers have seized control of the networks of major organizations and are seeking huge ransoms. While it is unclear how much data was stolen or whether the ransom was paid, it seems that these attacks were important. The Twitter hack was the most well-known and widely reported attack during the pandemic. On July 15, someone hacked into the Twitter accounts of various celebrities, business executives, businesses, and politicians, tricking people into sending Bitcoin to an account (5).

As per the Wall Street Journal, the hacker used a mix of conventional hacking, such as phishing sites and social engineering, to carry out the assault. The hacker was able to gain access to sensitive information through social engineering, enabling him to carry out the attack. It could also act as a lesson to businesses that cyberattacks are not often carried out exclusively online. Physical protection of information access is often just as critical as cybersecurity. The con netted around 117000 dollars, but it also resulted in the arrest of a 17-year-old hacker in Florida. This never ended there.

The next biggest hit occurred until recently where Tesla’s CCTV’s were hacked as well, as many other CCTV footage was captured and released onto the dark web and other social media portals. Though this footage was taken down, the public eye never failed to capture it any sooner. The Streisand effect took its turn. Much of it spread like fire, and it exposed how Tesla and many others, including a hospital in Florida. The point of this huge cyberattack was not the fact that Tesla or the others were compromised; it was the CCTV itself that fell prey to these hackers’ hands. Verdaka, a cyber security-based startup that creates cyber-security products like CCTV’s and faces cams, was a victim of this huge fallout (6).

The Cyberhack – What Happened?

Hackers claim to have hacked Verkada, a company based in Silicon Valley, and gained unauthorized access to the live feeds of 150,000 security cameras. According to them, the hack provided them with widespread access to surveillance footage from companies including Tesla and Cloudflare and hospitals, corporations, law enforcement agencies, schools, and jails. According to a report published on Bloomberg’s website, the group provided video footage from cameras run by Verkada in San Mateo, Calif., to prove the success of their breach. Verkada claims to be a more reliable and flexible alternative to on-premises video surveillance systems by offering and maintaining a web-based network of security cameras (7).

The incident exemplifies the wide range of privacy and security issues that can arise when video surveillance footage falls into the wrong hands. According to security experts, it’s also very likely to place Verkada in regulatory and legal trouble once the investigation is over. The hacker group, known as Advanced Persistent Threat 69420, reported having hacked security cameras from inside Florida hospital Halifax Health, with footage shown by Bloomberg appearing to show eight-hospital staffers tackling a man and then holding him down on a bed. Bloomberg also saw the video from inside a Tesla factory in Shanghai, which showed employees on an assembly line. The hackers gained access to 222 cameras that captured activity inside Tesla factories and warehouses.

They also claimed to have seen surveillance video from a Stoughton, Massachusetts police station. Meanwhile, the hackers said in a statement that they obtained access to surveillance cameras at Sandy Hook School in Newtown, Connecticut, where a shooter killed more than 20 people in 2012, 330 security cameras inside the Madison County Jail in Huntsville, Alabama, cameras at various Equinox places; and surveillance videos from Wadley Regional Med’s ICU. The group obtained access to Verkada through a Super Admin account, which was generated by using a login and password for something like an administrator account that was publicly accessible on the internet. According to Kottmann, this gave them access to all of the company’s customers’ cameras (8).

According to the broadcaster, the hackers lost access to the video feeds and archives after the publication contacted Verkada. One security expert found that this approach illustrates the downstream effect of email-based attacks such as spear-phishing attacks, which use social engineering to trick a company’s employees into handing over credentials. On Wednesday morning, Verkada did not immediately respond to a request for comment about the attack and the company’s mitigation efforts. In a statement to Bloomberg, a Verkada spokesperson said the organization had disabled all internal administrator accounts to prevent unauthorized access. “We have informed law enforcement, and our internal security team and external security firm are investigating the size and nature of this issue,” the spokesperson said.

The incident is currently being investigated by Verkada’s CISO, an internal team, and an external security agency. The company is now informing customers and setting up a helpline to handle inquiries and requests for assistance. In a recent data breach, hackers obtained access to videos and lived feeds from 150,000 surveillance cameras, including those belonging to Tesla. The attackers gained access to data obtained by Verkada Inc., a cloud-based camera management startup. Aside from Tesla, the hackers obtained access to data from website security firm Cloudflare, as well as live feeds from hospitals, jails, schools, and Verdaka’s offices (9).

The violation was confined to a supplier’s manufacturing site in China, according to Tesla, with its Shanghai car factory and showrooms remaining unaffected. According to the release, the factory’s data was captured locally, and the breach posed no security danger. The cameras had been shut down since then. Some of Verdaka’s customers use face recognition software, which means that people captured by the cameras could be recognized and monitored. The hackers appear to have obtained access to the entire video archive of the organization. They claimed to have accessed 222 surveillance cameras in Tesla factories and warehouses as part of the Tesla hack.

They warned that they might have accessed other sections of Tesla’s networks by controlling the cameras. Furthermore, the hackers appear to have gained access to Verkada’s entire customer list and private financial details. The scope of the attack has yet to be verified by the company. The Verkada hackers then had released the footage over to Bloomberg. Since then, this had been spreading like fire.

What is Verdaka?

Verkada, which was founded in 2016, sells everything a school, office, or business needs to begin tracking their physical room, from indoor and outdoor cameras to door access controls and temperature, motion, and noise sensors. Customers can use Verkada’s cloud service to link their hardware to the internet, enabling them to view and store real-time video from anywhere and use the company’s artificial-intelligence features to monitor people as they travel around the real world. Customers may use Verkada’s People Analytics program to automatically scan a person through a building or campus based on their appearance and clothing color (10).

Verkada high-resolution cameras start at 599 dollars, with annual cloud licenses at 199 dollars. A dedicated 1999 dollar viewing station that can stream up to 36 cameras at once is also available. Verkada and its rivals argue that their centralized monitoring systems will improve public security and keep people safe by identifying threats and deterring illegal activity before it happens. The demand for video analytics systems is rapidly expanding: Avigilon, for example, has sold camera software with features such as suspicious motion detection and presence search to a range of companies and public agencies throughout the United States, including school districts that have been traumatized by mass shootings.