A hacker collective has obtained access to live feeds of 150,000 surveillance cameras installed at businesses including Tesla and website security company Cloudflare, Bloomberg and Reuters reported. This stunning breach of security also affected jails, hospitals, police departments, and schools.
All the victims were customers of a Silicon Valley startup called Verkada, which sells security cameras and provides users with remote viewing through the cloud. That last bit appears to have backfired badly – a fact made worse by how easily the hackers pulled off their heist.
Tillie Kottmann, one of the hackers, told Bloomberg that they found the username and password of a Verkada “Super Admin” account lying exposed on the Internet. Using that account, they were able to view the camera feeds of all of the company’s customers.
Among camera footage provided by Kottmann, Bloomberg said it saw inside a Tesla warehouse in Shanghai, a hospital in Florida, and a police station in Massachusetts. Since learning of the intrusion, Verkada has disabled all internal administrator accounts.
Kottmann told Bloomberg that the hack “exposes just how broadly we’re being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit.”
Funnily enough, easy access to video feeds may have been the point.
Reuters noted that Verkada CEO Filip Kaliszan once said the company intentionally made it easy for many organisational users to view live video and share it when necessary – for example, with emergency responders.
As always, this seems to be a case of technological utility butting heads against security and privacy. What’s the right balance? We doubt there are easy answers.