SCOOP: Hackers have breached Verkada, a security camera company. Hackers were able to access LIVE FEEDS of 150,000 cameras from Tesla, Cloudflare, schools, hospitals, prisons, and thousands of other organizations.

https://twitter.com/WilliamTurton/status/1369404881988165635

and they went deep - I saw screenshots of them having root on servers in both tesla and cloudflare net blocks ​

from the bloomberg article:

Companies whose footage was exposed include carmaker Tesla Inc. and software provider Cloudflare Inc. In addition, hackers were able to view video from inside women’s health clinics, psychiatric hospitals and the offices of Verkada itself. Some of the cameras, including in hospitals, use facial-recognition technology to identify and categorize people captured on the footage. The hackers say they also have access to the full video archive of all Verkada customers.

The data breach was carried out by an international hacker collective and intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into, said Tillie Kottmann, one of the hackers who claimed credit for breaching San Mateo, California-based Verkada. Kottmann, who uses they/them pronouns, previously claimed credit for hacking chipmaker Intel Corp. and carmaker Nissan Motor Co. Kottmann said their reasons for hacking are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism -- and it’s also just too much fun not to do it.”

“We have disabled all internal administrator accounts to prevent any unauthorized access,” a Verkada representative said in a statement. “Our internal security team and external security firm are investigating the scale and scope of this potential issue.”

A person with knowledge of the matter said Verkada’s chief information security officer, an internal team and an external security firm are investigating the incident. The company is working to notify customers and set up a support line to address questions, said the person, who requested anonymity to discuss an ongoing investigation.

Kottmann said their group was able to obtain “root” access on the cameras, meaning they could use the cameras to execute their own code. That access could, in some instances, allow them to pivot and obtain access to the broader corporate network of Verkada’s customers, or hijack the cameras and use them as a platform to launch future hacks. Obtaining this degree of access to the camera didn’t require any additional hacking, as it was a built-in feature, Kottmann said.

The hackers’ methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet. After Bloomberg contacted Verkada, the hackers lost access to the video feeds and archives, Kottmann said.

The hackers say they were able to peer into multiple locations of the luxury gym chain Equinox. At Wadley Regional Medical Center, a hospital in Texarkana, Texas, hackers say they looked through Verkada cameras pointed at nine ICU beds. Hackers also say they watched cameras at Tempe St. Luke’s Hospital, in Arizona, and were also able to see a detailed record of who used Verkada access control cards to open certain doors, and when they did so. A representative of Wadley declined to comment.

bless.

@djsundog it's the height of irony that "security" cameras are amongst the least secure workable devices in existence (probably second only to PLCs and RTUs for industrial control systems and SCADA).

It is also disturbing that CloudFlare and Tesla were caught in this mess. They have no excuse and should know better.

Also, after this news on top of previous accounts of ex employees there I will never EVER buy or even drive any Tesla product.