Verkada’s security cameras turned out to contain a vulnerability that allowed attackers to gain access to their feeds. Tesla and Cloudflare, among others, have the cameras on their premises.
The vulnerability was discovered by the Swiss developer Tillie Kottman. He was able to show images of a Tesla factory in China, a showroom in California, a prison in Alabama, hospitals, a police interrogation room and a community gym to Reuters. Cloudflare and Okta also made use of the cameras. In total, more than 150,000 cameras were accessible.
Kottman worked together with a small group of hackers. A few days ago, the group saw general login details for administrators of Verkada posted publicly on the internet. With these login details, the group wanted to show the world to what extent the companies were monitoring their employees.
Verkada’s cameras distinguish themselves with easy access from the cloud with a comprehensive overview of all connected cameras. Optionally, the software also offers the possibility of applying facial recognition to the people in the picture.
Vulnerability also exposed other parts of network
According to Kottman, the vulnerability did not only enable hackers to gain access to the cloud interface of the cameras. Other parts of a company network could also be attacked via the cameras.
Verkada has since responded to the vulnerability by disabling all internal administrator accounts. Before the first news reports about the vulnerability were published, access for the hackers had already been removed.
Cloudflare says that the company set up its security so that further access to its network was not possible. Okta is investigating the incident, but emphasises that its services were not affected. Tesla did not respond to Reuters’ enquiries, nor did the Madison County Jail in Alabama, Bay Club or Virgin Hyperloop.