The Verkada Breach--What Really Matters
Incident of Surveillance Breach Tied To An Industry Security Provider
Following the Ring harassment hacks and the ADT scandal, Verkada is the latest surveillance provider to be involved in a security breach.
The surveillance industry overall has had its problems from a privacy perspective. That isn’t something we’ve ever shied from talking about.
A back door is exactly as it sounds--an additional means of entry, of access. Every company keeps a master list of customers. That’s not a security-threat issue when they send you an unwanted email about an upcoming sale. You send the email to trash. Problem solved. A back door becomes problematic when that master list of customers bought electronic equipment that can be accessed/reprogrammed/ or manipulated remotely by someone other than you, the purchaser/owner. The breach of Verkada revealed more than the typical back door relevant to the security industry. More than a limited back door with which company technicians can reset passwords after being given customer consent. Verkada uses a back door capable of taking “salted passwords” (private passwords known only to the customer which are then computer encrypted) and reconstituting those from encryption, back to a readable format. As a result, Verkada customers had their anonymity removed and their security compromised.
Ring, Verkada, ADT - none of these hacks should have even possible to begin with. You can reset a password without having a “master login” or “super admin” access. You can restore access to a device without looking at what data it is storing. And what about those times when you are asked to observe and make recommendations about user settings or configurations that might require you to look at video files? With a consent-based support policy, every true customer-directed support request will be given access, but just require the customer to affirm that they do want this level of support. It can be a fearful proposition to entrust your life’s privacy into the hands of a faceless, corporate giant. Where the future of ethical handling of your data is headed, the image remains blurry.
The Verkada Breach--What Happened?
A loose international collective of computer-savvy hackers infiltrated every Verkada customer camera in service worldwide. That’s about 150,000 cameras in active surveillance at locations from hospitals to prisons, churches to CEOs’ offices. Access was gained to live surveillance feeds, including cameras that use facial recognition to categorize and identify people. The group responsible also claimed to have accessed complete video archives of all Verkada customers. You can read more about the details of what happened here. We aren’t aiming to retread that ground here. We’re here to examine what really matters regarding the Verkada breach.This was not a sophisticated attack.
All this took was someone getting Verkada’s super admin password. The hackers simply found a user name and password for an administrator account publicly exposed on the internet. What they discovered went way beyond access to security camera video footage that never should have seen the light of day. More than the privacy of clients being exposed, the infiltrators unearthed the biggest “back door” in all security camera history.“Anything with backdoor access will obviously expand your attack surface area significantly.”
A back door is exactly as it sounds--an additional means of entry, of access. Every company keeps a master list of customers. That’s not a security-threat issue when they send you an unwanted email about an upcoming sale. You send the email to trash. Problem solved. A back door becomes problematic when that master list of customers bought electronic equipment that can be accessed/reprogrammed/ or manipulated remotely by someone other than you, the purchaser/owner. The breach of Verkada revealed more than the typical back door relevant to the security industry. More than a limited back door with which company technicians can reset passwords after being given customer consent. Verkada uses a back door capable of taking “salted passwords” (private passwords known only to the customer which are then computer encrypted) and reconstituting those from encryption, back to a readable format. As a result, Verkada customers had their anonymity removed and their security compromised.
It gets worse.
This massive list of every Verkada camera sold and in use was made available down the corporate chain. From executives to support personnel--those not normally given the privilege to access private customer data or security footage--this stockpile of sensitive information evidently became visible. Conscientious protocol would have restricted a pared-down version of access and control to a typical small list of developers. Never is it prudent or good practice to give an extended group of employees, with less than the highest clearance, full access to private, customer data.“The fallout for this attack will be felt for months and months. This is shoulder surfing at an unprecedented scale. Is it possible they could have deduced credentials for systems by watching keystrokes? We have already started to hear about HIPAA concerns, privacy issues, but it's the potential for the fringe attacks that we just haven't thought about yet that is alarming. Especially when thinking about the average data breach goes undetected for roughly 200 days.”
As a buyer, how can I prevent this from happening to me?
The very best advice we can give is to do your research before purchasing. Read the fine print before you sign a contract with a new surveillance provider. Do they indicate ultimate ownership of your data? Do they mention specific protocols in place to maintain your privacy? Is there mention of them needing your consent to access your system?Surveillance companies can and must do more
There are security measures that surveillance companies can take to keep your sensitive information from being readily visible. “Dozens of protocols could have been put in place, to prevent such a hack, such as bastion servers, “superuser” IP whitelists, client segmented subdomain based cloud instances, or multiple layers of authentication (such as two-factor authentication)”, says Matthew Nederlanden, CEO of SCW. Obviously, some sort of “super admin” privilege has to exist. Sometimes there is a need to reset a customer’s password or help them get back into a system that they have inadvertently locked. Customers demand these things, but maybe this “backdoor access” doesn’t need to include access to every feature. At the end of the day, it is someone’s job to maintain the databases that contain the video files that these companies are being paid to record. But, does it really have to be so easy to watch customer videos?“If you are a company who has purchased this network of cameras and you are putting them in sensitive places, you may not have the expectation that in addition to being watched by your security team that there is some admin at the camera company who is also watching.”
Ring, Verkada, ADT - none of these hacks should have even possible to begin with. You can reset a password without having a “master login” or “super admin” access. You can restore access to a device without looking at what data it is storing. And what about those times when you are asked to observe and make recommendations about user settings or configurations that might require you to look at video files? With a consent-based support policy, every true customer-directed support request will be given access, but just require the customer to affirm that they do want this level of support. It can be a fearful proposition to entrust your life’s privacy into the hands of a faceless, corporate giant. Where the future of ethical handling of your data is headed, the image remains blurry.