As the dangers of the Microsoft Exchange Server attacks continue to become clearer, Bloomberg has reported on another hacking incident with serious implications for US businesses.
A group of international hackers has shared sensitive and live footage of surveillance cameras with the new website. As per the news, hackers had unrestricted access to 150,000 security cameras for 48 hours, until they reported the hack.
The shared footage belongs to various private businesses and public institutions. This includes, hospitals, prisons, police departments, schools and community gyms. Large businesses, such as the car maker, Tesla and software provider, Cloudflare had their surveillance footage released as well.
The hackers obtained the footage by hacking the firm responsible for managing the cameras. The hacked business, Verkada Inc provides a web-based platform for managing surveillance cameras.
To gain access, first, they hacked a vulnerable Verkada server, and then, logged in to the Verkada’s super-admin panel, by using the login credentials hardcoded in the server.
The super-admin access gave hackers full control over customers’ cameras. Using the admin panel, they could watch live footage, download archives, and access the root shell of all cameras, a privilege that could have been exploited for malware attacks on customers’ networks.
The hackers no longer have the access. But, the severity of the incident raises many troubling questions. For example, how to secure your administrative accounts, especially when accessed remotely.
In this post, we’ll look at
- What reportedly happened
- How the attack correlates with the broader issue of protecting admin panels
- Basic security measures that you need to take to protect your business
How easy was it for hackers to breach 150,000 security cameras?
On March 10, Bloomberg reported that a group of hackers claimed to have access to the surveillance cameras managed by Verkada, including those installed in sensitive locations, such as jails, hospitals, schools, and police departments.
The attackers shared several videos and photos. This includes footage from cameras used by private businesses such as the car maker Tesla, software provider, Cloudflare, and Halifax, a Florida based hospital. The hackers were able to access video archives and audio too.
What’s disturbing is that the shared videos include surveillance footage from a police station in Stoughton, Wisconsin, Madison county jail, Alabama, and a community center gym. As per the news report, some organizations also used facial recognition features of the cameras.
In addition, the hacking group claimed that they had ‘root’ access to the cameras as well. As per security researchers, such privileged access can be exploited by criminals for launching malware attacks.
It’s alarming that a hacking group could take control of 150,000 cameras so easily. As per Jeremy Kirk, the attack began after the hackers found a Verkada Server exposed to the Internet while using the Shodan IoT search engine.
As the server was exposed to the Internet, the hackers were able to compromise its security. By compromising it, they gained access to several cameras managed by the company. Moreover, they found the credentials of a super admin account hardcoded in the camera software.
With the credentials, the hackers could log in to the Verkada app. And once logged in, they were able to control every camera managed by the company.
The super admin tools at their disposal also included the ability to access the root shell. As mentioned above, access to the root shell can be abused to gain remote access to the network that the camera’s connected to.
How did Verkada respond to the security breach
Upon intimation of the hack, Verkada switched off all internal administrative accounts. And, is currently investigating the breach.
The affected organizations are looking into the hack as well. As per Tesla, the footage didn’t belong to a Tesla factory, but it was of a supplier’s production site. While Cloudflare says that their systems haven’t been affected, as they follow the zero-trust model of security. Most businesses have denied that the incident poses any serious security risks.
But the hackers say that until they were cut off, they could access the live feeds of tens of thousands of cameras, including those watching schools and hospitals as well.
How to prevent such security breaches
In terms of information security, the incident highlights the danger of an administrative login exposed to the Internet. Such a mistake can help criminals succeed in their attacks. It would allow them to use credential stuffing and brute force password attacks. The risk of a breach multiplies for firms that use single stage authentication.
Similarly, super admin rights should be used conservatively. Breaching of such an account can fuel disastrous consequences. For instance, in this case, the hackers gained access to the entire network of 150,000 cameras managed by Verkada. As per some reports, at least 100 employees, including interns had super admin rights.
Specifically, healthcare providers should be careful about who can access their video feeds. Leakage of a camera footage can have HIPAA implications, if it can be used to identify a patient.
How to protect your business from such attacks
In our opinion, it’s important to protect admin panels from unrestricted access. Firstly, it should not be open to the Internet. Secondly, only a limited number of people should be able to access it. The easiest way to limit people is to enforce the least privilege security model. Grant access only to those who need it.
Similarly, to protect your admin panel from the Internet, you need to ensure that it’s not publically accessible. We suggest that you do this by restricting or obscuring access to the admin panel. Firstly, you can limit the access to whitelisted IPs. This way, only specific systems would have access to the panel. Secondly, you can use cryptographic URLs. And thirdly, you can set up a VPN solution for your admin panel.
In addition, you should set up two-factor authentication for admin panels. Other precautions include limiting the number of login attempts and logging all failed attempts to access the panel.
By the same token, you need to train your employees for security awareness. Train them in good password habits, malware trends, and secure email practices. Such training could prevent them from revealing their details to criminals.
As per Verkada, and their customers, the hack wouldn’t have serious implications. The software provider, Cloudflare suggests that they already had a zero-trust security system in place. While Tesla confirms that the breached cameras belonged to a supplier’s production plant. Similar statements have been made by their other clients as well. Besides, the hackers had access to the cameras for about 48 hours only.
As per the latest update from Verkada, they have notified all affected customers. The firm has also engaged Mandiant, a digital forensic unit to investigate the incident.
However, there is a lot of learning that needs to happen from this incident, specifically, from the point of view of employee training. For instance, how regularly you train people; do they understand secure coding practices; are they aware of good password practices; and so on.