Data breach of surveillance cameras operated by Verkada allowing hackers to access live feeds of schools, aged care facilities and child care centres. Australian operations affected.

March 12, 2021 |

Surveillance cameras, baby cameras and other monitoring devices connected to the internet have been particularly prone to cyber attack.  They are attractive targets, successful hacks result in high profile press coverage and huge embarrassment for both the users and the manufacturers of the device. The motivations are varied.  In 2014 hackers remotely turned on baby cameras and shouted obscenities at parents and their babies. I wrote about the vulnerabilities of these devices in 2016.  In 2019 G Post raised the similar issue with Yes, Your Video Baby Monitor Can Be Hacked. No, You Don’t Have to Stop Using It. 

For all of that forewarning and knowledge of the attractiveness of surveillance cams being target of hacking and the well known vulnerabilities that could be addressed Verkada, a provider of cameras and surveillance equipment has been the subject of a massive data breach.  The ABC reports on this in Hackers say they’ve gained access to surveillance cameras in Australian childcare centres, schools and aged care. The hack compromised approximately 150,000 internet connected surveillance cameras.  Given some of the surveillance cameras employ facial recognition technology the open question is whether the hackers have accessed images of those recorded.

It provides:

A group of hackers claims to have breached a popular surveillance company and gained access to live feeds from thousands of cameras around the world, including Australian childcare centres, schools and aged care residential facilities.

The cameras, sold by Silicon Valley startup Verkada, have the capacity for facial recognition. This includes identifying particular people across multiple timepoints or filtering individuals by gender or colour of their clothes.

The company said in a statement that it had notified law enforcement of the hack.

“Our internal security team and external security firm are investigating the scale and scope of this issue.”

The international collective of hackers say they broke into the company’s system to draw attention to the widespread use of surveillance cameras, and the ease by which outsiders can gain access to these systems.

A spreadsheet provided by one of the hackers to the ABC lists 24,000 organisations around the world using Verkada cameras.

On this list are more than 100 Australian organisations, including one with childcare and early education centres throughout the country.

The list also includes public and private schools, universities, higher education colleges, an aged care provider, a national department store, a chain of duty-free stores, local governments and a state public transport agency.

Prominent “hacktivist” Tillie Kottman, a software engineer based in Switzerland and one of those claiming responsibility for the hack, told the ABC in an online chat that the hackers could have accessed live feeds or archived materials for any Verkada customers on the list, including the Australian organisations.

“I don’t think we accessed any Australian customers,” they said.

The hackers claim to have peered inside women’s health clinics, psychiatric hospitals, prisons, police stations and gyms in the US. They showed some of these videos to a Bloomberg reporter, who broke news of the breach earlier this week.

A handful of screenshots from hacked Verkada live feeds are circulating online.

“We archived a small number of things which we are solely handing out to the press,” Tillie Kottman said.

The hackers say it was easy to hack Verkada. They claim they simply found a username and password for an administrator account publicly exposed on the internet. This gave them “super-admin” access to 150,000 cameras around the world.

They say they gained access to the cameras around midnight (AEDT) on Monday and had access revoked before Wednesday morning.

Verkada confirmed it had revoked administrator access to the cameras.

Hacked cameras have facial recognition ability

According to the Verkada website, all of the company’s cameras have facial recognition as a basic function, although customers may not necessarily choose to use this feature.

From the spreadsheet, it’s not clear if any Australian customers are using facial recognition.

The spreadsheet also doesn’t say how many cameras each organisation has, nor how and where they deploy these cameras.

Verkada promotional materials claim all its cameras have the ability “to detect people and faces, and filter results based on clothing colour, apparent sex, and the presence of backpacks”.

A companion web app available to Verkada customers can be used to search through archived footage for a specific person.

Tillie Kottman told Bloomberg the Verkada hack exposes “how broadly we’re being surveilled and how little care is put into at least securing the platforms used to do so.

Founded in 2016, Verkada is valued at $US1.6 billion.

Canberra-based cyber security researcher Robert Potter said the hack was typical of attacks against internet startups that have enjoyed rapid growth, but failed to scale their cyber defences.

“We’ve seen this with Clubhouse, Tik Tok, Zoom — these companies grow really fast and go really well until things go wrong,” he said.

He added the hack also showed the privacy risks associated with installing internet-linked surveillance cameras in schools and other places.

“These cameras are in a lot of things which means there’s value in hacking them.”

Verkada has been in the news before.

The company fired three employees last October after reports surfaced that workers had used its cameras to harass co-workers, including making sexually explicit jokes about female colleagues.

Leave a Reply