Security camera hack exposes hospitals, workplaces, schools


By MATT O’BRIEN and FRANK BAJAK Associated Press

Hackers aiming to call attention to the dangers of mass surveillance said they were able to peer into hospitals, schools, factories, jails and corporate offices after they broke into the systems of a security-camera startup.

That California startup, Verkada, said Wednesday it is investigating the scope of the breach, first reported by Bloomberg, and has notified law enforcement and its customers.

Swiss hacker Tillie Kottmann, a member of the group that calls itself APT-69420 Arson Cats, described it in an online chat with The Associated Press as a small collective of “primarily queer hackers, not backed by any nations or capital but instead backed by the desire for fun, being gay and a better world.”

They were able to gain access to a Verkada “super” administrator account using valid credentials found online, Kottmann said. Verkada said in a statement that it has since disabled all internal administrator accounts to prevent any unauthorized access.

But for two days, the hackers said, they were able to peer unhindered into live feeds from potentially tens of thousands of cameras, including many that were watching sensitive locations such as hospitals and schools. Kottmann said that included outdoor and indoor cameras at Sandy Hook Elementary School in Newtown, Connecticut, where 26 first-grade students and six educators were killed in 2012 by a gunman in one of the deadliest school shootings in U.S. history.

The school district’s superintendent didn’t return calls or emailed requests for comment Wednesday.

One of Verkada‘s affected customers, the San Francisco web infrastructure and security company Cloudflare, said the compromised Verkada cameras were watching entrances and main thoroughfares to some of its offices that have been closed for nearly a year due to the pandemic.

“As soon as we became aware of the compromise, we disabled the cameras and disconnected them from office networks,” said spokesperson Laurel Toney. “No customer data or processes have been impacted by this incident.”

Another San Francisco tech company, Okta, said five cameras it placed at office entrances were compromised, though there’s no evidence anyone viewed the live streams.

Twitter said it permanently suspended Kottmann’s account, which posted materials gathered in the hack, for violating its rules against ban evasion, which typically happens when users start a new account to circumvent an earlier suspension. Kottmann had earlier received a message from Twitter suspending the account for violating its rules against the distribution of hacked material, the hacker said.

The Verkada footage captured and shared by hackers included a Tesla facility in China and the Madison County Jail in Huntsville, Alabama. Madison County Sheriff Kevin Turner said in a statement Wednesday the jail has taken the cameras offline, adding “we are confident that this unauthorized release did not and will not impact the safety of staff or inmates.” Tesla didn’t respond to requests for comment.

Verkada, based in San Mateo, California, has pitched its cloud-based surveillance service as part of the next generation of workplace security. Its software detects when people are in the camera’s view, and a “Person History” feature enables customers to recognize and track individual faces and other attributes, such as clothing color and likely gender. Not all customers use the facial recognition feature.

The company attracted negative attention last year when video surveillance industry news site IPVM reported that Verkada employees had passed around photos of female coworkers collected by the company’s own in-office cameras and made sexually explicit comments about them.

Cybersecurity expert Elisa Costante said it’s worrisome that this week’s hack wasn’t sophisticated and simply involved using valid credentials to access a huge trove of data stored on a cloud server.

“What is disturbing is to see how much real-life data can go into the wrong hands and how easy it can be,” said Costante, vice president of research at Forescout. “It’s a wake up call to make sure that whenever you are collecting this much data we need to have basic security hygiene.”

Kottmann said the hacker collective, active since 2020, doesn’t set out after specific targets. Instead, it scans organizations on the internet for known vulnerabilities and then works to “just narrow down and dig in on interesting targets.”

Find your latest news here at the Hemet & San Jacinto Chronicle


Please enter your comment!
Please enter your name here

Share post:

Subscribe to The Hemet & San Jacinto Chronicle


More like this

The next Republican debate is in Alabama, the state that gave the GOP a road map to Donald Trump

Republican presidential candidates will debate Wednesday within walking distance of where George Wallace staged his “stand in the schoolhouse door” to oppose the enrollment of Black students at the University of Alabama during the Civil Rights Movement.

Bitcoin has surpassed $41,000 for the first time since April 2022. What’s behind the price surge?

Bitcoin is once again having a moment. On Monday, the world’s largest cryptocurrency soared past $41,000 for the first time in over a year and a half — and marking a 150% rise so far this year.

Trump calls Biden the ‘destroyer’ of democracy despite his own efforts to overturn 2020 election

Former President Donald Trump on Saturday attempted to turn the tables on his likely rival in November, President Joe Biden, arguing that the man whose election victory Trump tried to overturn is “the destroyer of American democracy.”

Harris dashed to Dubai to tackle climate change and war. Each carries high political risks at home

Filling in for President Joe Biden, Vice President Kamala Harris flew to the Middle East to tackle a pair of challenges that have flummoxed White Houses for decades: climate change and the Israeli-Palestinian conflict. Each carries the risk of political blowback going into next year’s presidential elections.