Blog March 18, 2021

When security becomes a threat itself: Inside the Verkada breach

This week, hackers breached Verkada security cameras exposing businesses, police departments, schools, jails and hospitals across the country. The incident, first reported by Bloomberg, allowed the hackers access to feeds from nearly 150,000 cameras, as well as the full video archive from Verkada customers.

The breach was carried out by a hacker collective with the intention of showing the pervasiveness of video surveillance, and how easy it is to break into these systems. Tillie Kottmann, one of the hackers responsible, said that her group discovered a “Super Admin” password that gave them full control over Verkada’s system. Kottmann noted that Verkada had a fully centralized platform with “nonexistent and irresponsible” security, making it easy for their team to infiltrate.

In an effort to secure the system and prevent any further unauthorized access, Verkada disabled all internal administrator accounts, and has security teams investigating the scale and scope of the incident.

As businesses, government agencies, and the DoD continue to install an increasing number of internet-connected devices they must also be aware of, and take steps to mitigate, the inherent risk. This week’s hack only emphasizes the glaring need for IoT companies to invest in more robust security measures.

In Verdaka’s case, the existence of hardcoded administrative credentials and passwords combined with the lack of unique and rotating credentials, a secure credential repository, and privileged access management (PAM), made it easy for Tillman and their group to access a vast amount of real-time, sensitive video with only a few clicks.

Conducting basic, scalable security hygiene measures to protect IoT devices, such as inventory, patching and credential management is essential. As well as, automating remediation against IoT’s most critical vulnerabilities. By automating security, organizations can keep pace with the proliferation of IoT technologies without overtaxing IT teams.

An additional key takeaway from the Verkada hack is that as the number of internet-connected devices accelerates, it’s critical to promote a zero-trust environment to secure the network, especially as the sensitivity of network data increases. What does this mean? For starters, a zero-trust environment will ensure that current systems relying on a single line of defense (i.e. perimeter security) are converted to a layered defense that constantly checks and re-checks each user and software process each time they try to access data.

Government is leading the charge in securing IoT devices with the recent passage of the IoT Cybersecurity Improvement Act. This new mandate requires all federal agencies to conduct identity management, patching and configuration management for its IoT devices, just like it would for more traditional devices on the network such as desktops and servers.

To learn more about the Verkada hack please join us on Friday March 19, 2021 at 12:00 pm ET for a webinar hosted by Phosphorus’ CEO Chris Rouland and CTO Earle Ady.