Hackers gained access to more than 150,000 private surveillance cameras in schools, hospitals and businesses in a wide-ranging cyber attack.
Belonging to security firm Verkada, the cameras were used by a wide range of companies, from prisons and psychiatric hospitals to electric car company Tesla and transport start-up Hyperloop.
Verkada claims to be ‘investigating’ the issue.
Though the perpetrators of the hack haven’t yet been confirmed, a hacker named Tille Kottmann told Bloomberg they were responsible.
The hack was, according to Kottman, for ‘lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism – and it’s also just too much fun not to do it’.
Alleged footage from the hacked cameras include Florida hospital workers pinning a man to his bed, Massachusetts police questioning a man in handcuffs and a Tesla factory worker in Shanghai working on the assembly line.
However, these clips have not been verified to have come from the hack.
While many of the cameras belonged to private companies, some of the cameras were used in more public settings.
According to the hackers, they gained access to the security cameras of Sandy Hook Elementary School, the site of a mass shooting in 2012.
Preliminary investigations of the hack suggest it was relatively unsophisticated, using the use of a ‘super admin’ account to gain access to Verkada’s security cameras.
The hackers have reportedly now lost access to Verkada’s video feeds.
A spokesperson for Verkada said: ‘We have disabled all internal administrator accounts to prevent any unauthorised access.
‘Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.’
Speaking about the hack, Elisa Costante, VP of Research at software company Forescout, said: ‘Connected cameras are supposed to provide an additional layer of security to organisations that install them. Yet, as the shocking Verkada security camera breach has shown, the exact opposite is often true.
‘Worryingly, the attack wasn’t even very sophisticated and didn’t involve exploiting a known or unknown vulnerability. The bad actors simply used valid credentials to access the data stored on a cloud server.’
‘In this case, the bad actors have seemingly only resorted to viewing the footage these cameras have captured. But they are likely able to cause a lot more damage if they choose to do so, as our own research team has discovered. We were able to intercept, record and replace real-time footage from smart cameras by exploiting unencrypted video streaming protocols and performing a man-in-the-middle attack. This effectively gives criminals a virtual invisibility cloak to physically access premises and wreak havoc in the real world.
‘In fact, based on our own research, the Verkada cameras are in widespread use within government and healthcare, leaving those organisations particularly vulnerable to these kinds of attacks. The only way for organisations to adequately protect themselves is to ensure they have a comprehensive device visibility and control platform in place.’