Hackers gain access to security cameras inside Cloudflare, prisons and hospitals

Hackers say they broke into Silicon Valley start-up Verkada’s network and gained access to live video feeds from more than 150,000 surveillance cameras the company manages for Cloudflare, Tesla and a host of ‘other organizations.

The group posted videos and images that they said were taken in the offices, warehouses and factories of these companies, as well as in prison cells, psychiatric wards, banks and schools. Bloomberg News, which first reported the breach, said footage seen by a reporter showed staff at Florida Hospital Halifax Health attacking a man and pinning him to a bed. Another video showed a handcuffed man at a Stoughton, Massachusetts police station being questioned by officers.

“I don’t think the claim ‘we hacked the Internet’ has ever been as accurate as it is today,” Tillie Kottmann, a member of a hacker collective calling themselves APT 69420 Arson Cats, wrote on Twitter.

Hard-coded credentials

Kottmann told Ars that the hack was made possible after Verkada exposed an unprotected internal development system to the internet. It contained the credentials of an account with super administrator rights on the Verkada network. Once inside the network, hackers said they had access to feeds from 150,000 cameras, some of which provided high-definition video and used facial recognition.

In a statement, a spokesperson for Verkada wrote: “We have disabled all internal administrator accounts to prevent unauthorized access. Our internal security team and our external security company are investigating the extent and scope of this problem, and we have notified law enforcement. “

A Cloudflare rep, meanwhile, wrote:

This afternoon, we were alerted that the Verkada security camera system that monitors major entry points and major arteries in a handful of Cloudflare offices may have been compromised. The cameras were in offices that had been officially closed for almost a year. As soon as we learned of the compromise, we disabled the cameras and disconnected them from the office networks. To be clear, no customer data or process was impacted by this incident.

Tesla did not immediately respond to a request for comment.

Kottmann is a Swiss-based software engineer who disclosed 20 GB of Intel source code and proprietary data last year. Other companies whose data was allegedly breached by Kottmann include AMD, Microsoft, Adobe, Lenovo, Qualcomm, and Motorola. These violations also relied on hardcoded credentials in repositories exposed to the Internet.

Kottman said the hackers collected around 5GB of data from Verkada, but they could have gotten a lot more.