Video and AI security company Vercada was breached, giving hackers access to more than 150,000 Internet-connected security cameras used in schools, prison cells, hospital ICUs and large companies such as Tesla, Nissan, Equinox, CloudFlare and others.
The hack was carried out by a loose yellow-knitted anti-corporate activist group called APT-69420 based in Switzerland. According to Till Cottman, the group’s representative, they accessed Verkada’s systems on March 8 and the hack lasted 36 hours. She described Verakada, Silicon Valley based startup, As a “full-fledged platform” that made it easy for his team to access and download footage from thousands of security cameras. The leaked footage appears to involve major companies and organizations, but not private homes.
Security video from the Tesla car manufacturing line and port video and images to capture many activities that can be sensitive, such as screenshots from inside security firm Cloudflare. Some of the material is very personal, including video of patients and inmates in the hospital’s intensive care unit inside the Madison County Jail in Twilight, Alabama.
Kotman called the security on Verkada systems “non-existent and irresponsible” and said his group had demonstrated to the company how easy it was to reach Internet-connected cameras placed in highly sensitive locations.
Provided by Till Kotman
Verkada said they informed their customers about the hack, and its security teams are working with an external security company to investigate. “We have disabled all internal admin accounts to prevent any unauthorized prevent access. Our internal security team and external security firm are investigating the scope and scope of this issue, and we have notified law enforcement,” Verkada told CBS News.
Provided by Till Kotman
The FBI has not commented. CBS News has reached out to Tesla and Equinox but was not available for comment at the time the story was published.
Kotman provided CBS News with a 5 gigabyte archive containing video and images from the hack, and described the attack as “technical” and not difficult to pull off.
Provided by Till Kotman
Kotman said his group searched for a Vercada administrator’s username and password stored on an unencrypted subdomain. She said the company exposed the internal development system on the Internet, which had strictly coded credentials for the system account that said they had full control over the system with “super admin” rights.
“We scan for very broad vectors looking for vulnerabilities. This was a simple one. We just used their web application like any user, except we didn’t have the ability to switch to any user account we wanted. We didn’t access any server. We’ve just logged in with a very privileged user in their web UI [account], ”Kotman said.
Kotman said his hackers group is not motivated by money or sponsored by any country or organization. “APT-694450 is not supported by any nations or corporations, it is supported by nothing but gay, pleasure and chaos.”
When asked if she’s afraid of reactions, Cottman replied, “Maybe I should be a little more paranoid, but at the same time what will it change? I’ll just be as targeted as I am.”
.
