Verkata: a weak user password exposed 150K highly sensitive videos

It was just ONE weak user password that could be guessed by hackers. That ONE users password however led to a 40 hour access to much larger unsecured list of Super User logins and passwords as well as sensitive trade, personal privacy, hospitals, jails, schools, Intel and Tesla factories.

Verkada’s Camera Debacle Traces to Publicly Exposed Server (bankinfosecurity.com)

WHAT DID THESE HACKERS GAIN?

Bloomberg revealed how Verkada, a Silicon Valley security startup, poor cyber security was breached from a chain of Security Operations Information and unmanaged risks that started with:

• Guessing one user’s poor choice of password. As a result hackers were able to log in on that one user’s poor password.
• Once connected hackers were able to access and discover an unsecured/unencrypted list of super user passwords.
• These 2 vulnerabilities led to a map of video 150,000 internet connected company’s cameras that were recording and collecting highly sensitive personal and trade secret corporate information

How much are people watched over by dangerous internet camera streaming?

Tillie Kottmann was at times shocked by what they found during their 40 hours of access to the most personal internet streaming camera videos, with cameras located, and some hidden, but thousands of all internet connected security cameras.

Some cameras were hidden in other devices, designs, thermostats, and medical devices to obscure detection and recording.

• Highly personal information and human events recorded in Prison Cells; People experiencing tramatic health events in hospital intensive care unites. ChildCare Community Centers and even hidden cameras in Police Interrogation rooms
• Corporate trade secrets discernable from Billion Dollar Public Companies including a huge collection of secret documents and source code from chipmaker Intel and recording from inside Tesla Manufacturing Operations.

Some cybervideo victim sites included children, penal system and mental health patient care centers, Tempe St. Luke’s Hospital, Peoria Unified School District, the city of Avondale, Graham County Jail and more.

HACKTIVISM WAS THE MOTIVE

Identity theft affects one in twenty Americans. Basic identify information can be sold on the dark web for a premium. Identity, password and personal information and video cyberfraud/cybertheft is on the rise. Last April,  500,000 compromised Zoom accounts were being sold by another group, for them profit was the motive, selling stolen personal information on the darkweb for less than a penny each. Less than $50 profit for cybertheft of data theft containing email addresses, passwords, personal meeting URLs and hostkeys.

While many hacking organizations exploit vulnerabilities to charge a ransom, or sell stolen video records to gain advantage from other security operations improperly managed data, this did not seem to be the case here.

This seemed to be “hacktivist” (hacker activist) for social cause. A Swiss Hacker Organization found a single user password that gave them access to wanted to share the dangers of internet connected cameras are, against human rights. Tillie Kottmann, is a 21-year-old transgender hacker.  

She went on the record stating that the hacking was a deliberate demonstration of how dangerous internet connected camera’s are as a violation of human rights.

“I was persecuted and attacked long before I executed this attack.”

She wanted it known that the consequences of exposing the data via hacking were nothing compared to the violation of human rights she experienced prior as a transgender woman.

The Wrap Up

The company, Verkada … Failed to exercise the most basic, sound cyber security protocol.

• Hackers exploited Verkada’s Bad Cyber Security Hygiene around passwords;
• Encription for sensitive files and information, and records management for personal information.

Tillie Kottmann’s GitLab repository, contained a catalog of exploits, that have since been seized by the Federal Bureau of Investigation.

Resources for Governance, Risk Management, and Compliance

How do you protect sensitive data with Insider Risk Management? 93% are concerned with Insider Risk Management. COVID has increased this risk with data endpoints not being secured.

Great discussion by Microsoft’s Ramyan Kalyan, Director Product Marketing and Talah Mir, Principal Program Manager.

• How Secure Is My Password? (security.org)
• Password Guidelines Updated by NIST • Total HIPAA Compliance
• ISAACA: Compliant, Yet Breached. Compliance versus Security
• Using IP Cameras Safely | FTC Consumer Information