A group of hackers claim they have breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc.
The breach gave them access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools.
Companies whose footage was exposed include carmaker Tesla Inc. and software provider Cloudflare Inc.
In addition, the hackers were able to view video from inside women’s health clinics, psychiatric hospitals and the offices of Verkada itself.
Some of the cameras, including in hospitals, use facial-recognition technology to identify and categorize people captured on the footage.
The hackers say they also have access to the full video archive of all Verkada customers.
In a video, a Verkada camera inside Florida hospital Halifax Health showed what appeared to be eight hospital staffers tackling a man and pinning him to a bed.
Another video, shot inside a Tesla warehouse in Shanghai, shows workers on an assembly line.
The hackers said they obtained access to 222 cameras in Tesla factories and warehouses.
One of the hackers, Tillie Kottmann, said the data breach was carried out by an international hacker collective and intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into.
Kottmann, previously claimed credit for hacking chipmaker Intel Corp. and carmaker Nissan Motor Co. Kottmann said their reasons for hacking are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”
A Verkada spokesperson said in a statement that all internal administrator accounts have been disabled to prevent any unauthorized access.
A person with knowledge of the matter said Verkada’s chief information security officer, an internal team and an external security firm are investigating the incident.
The company is working to notify customers and set up a support line to address questions, said the person.
Representatives of Tesla and other companies identified in this story didn’t immediately respond to requests for comment.
Representatives of the jails, hospitals and schools named in this article either declined to comment or didn’t immediately respond to requests for comment.
A video seen by Bloomberg shows officers in a police station in Stoughton, Massachusetts, questioning a man in handcuffs.
The hackers say they also gained access to the security cameras of Sandy Hook Elementary School in Newtown, Connecticut, where a gunman killed more than 20 people in 2012.
Also available to the hackers were 330 security cameras inside the Madison County Jail in Huntsville, Alabama. Verkada offers a feature called “People Analytics,” which lets a customer “search and filter based on many different attributes, including gender traits, clothing color, and even a person’s face,” according to a Verkada blog post.
The hackers say they were able to access live feeds and archived video, in some cases including audio, of interviews between police officers and criminal suspects, all in the high-definition resolution known as 4K.
Kottmann said their group was able to obtain “root” access on the cameras, meaning they could use the cameras to execute their own code.
That access could, in some instances, allow them to pivot and obtain access to the broader corporate network of Verkada’s customers, or hijack the cameras and use them as a platform to launch future hacks.
Obtaining this degree of access to the camera didn’t require any additional hacking, as it was a built-in feature, Kottmann said.
The hackers’ methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers.
Kottmann says they found a user name and password for an administrator account publicly exposed on the internet.
The hackers say they were able to peer into multiple locations of the luxury gym chain Equinox. At Wadley Regional Medical Center, a hospital in Texarkana, Texas, hackers say they looked through Verkada cameras pointed at nine ICU beds.
Hackers also say they watched cameras at Tempe St. Luke’s Hospital, in Arizona, and were also able to see a detailed record of who used Verkada access control cards to open certain doors, and when they did so.
A representative of Wadley declined to comment.
Verkada, founded in 2016, sells security cameras that customers can access and manage through the web. In January 2020, it raised $80 million in venture capital funding, valuing the company at $1.6 billion.
Among the investors was Sequoia Capital, one of Silicon Valley’s oldest firms.
Kottmann calls the hacking collective “Advanced Persistent Threat 69420,” a light-hearted reference to the designations cybersecurity firms give to state sponsored hacking groups and criminal cybergangs.
In October 2020, Verkada fired three employees after reports surfaced that workers had used its cameras to take pictures of female colleagues inside the Verkada office and make sexually explicit jokes about them.
Verkada CEO Filip Kaliszan said in a statement to Vice at the time that the company “terminated the three individuals who instigated this incident, engaged in egregious behavior targeting coworkers, or neglected to report the behavior despite their obligations as managers.”
Jails, Homes, Offices
Kottmann said they were able to download the entire list of thousands of Verkada customers, as well as the company’s balance sheet, which lists assets and liabilities.
As a closely held company, Verkada does not publish its financial statements.
Kottman said hackers watched through the camera of a Verkada employee who had set one of the cameras up inside his home. One of the saved clips from the camera shows the employee completing a puzzle with his family.
Inside Arizona’s Graham County detention facility, which has 17 cameras, videos are given titles by the center’s staff and saved to a Verkada account.
The hackers also obtained access to Verkada cameras in Cloudflare offices in San Francisco, Austin, London and New York. The cameras at Cloudflare’s headquarters rely on facial recognition, according to images seen by Bloomberg. “While facial recognition is a beta feature that Verkada makes available to its customers, we have never actively used it nor do we plan to,” Cloudflare said in its statement.
Security cameras and facial-recognition technology are often used inside corporate offices and factories to protect proprietary information and guard against an insider threat, said the EFF’s Galperin.