News outlet Bloomberg has gone public with a dramatic cybersecurity news story about surveillance.
Bloomberg claims that an “international hacker collective” was responsible for breaking into a network of 150,000 surveillance cameras and purloining private footage from live video feeds.
According to Bloomberg, one of the hacking crew, Tillie Kottmann, claimed to have broken into cloud-based camera surveillance company Verkada and accessed a huge swathe of internal data.
This apparently included real-time access of up to 150,000 surveillance cameras at Verkada customer sites, as well as other real-time information such as access control data from Verkada customers.
Car maker Tesla, internet provider Cloudflare and numerous health and law enforcement organisations are claimed in Bloomberg’s piece as some of the victims.
Why the hack?
Kottmann, says Bloomberg, gave a laundry list of libertarian-sounding reasons for the hack, including anti-capitalist sentiment and opposition to the very concept of intellectual property.
However, the list of reasons rather notably starts with “curiosity” and ends with the fact that it was “just too much fun not to do it“.
The concept of hacking-just-for-fun was perhaps most notoriously adopted in the past decade by the cybercrew who called themselves LulzSec, and whose infamous motto was “Laughing at your security since 2011.”
Things didn’t end too well for some of the LulzSec gang, who were fairly quickly identified, charged and convicted of various cybercrime offences.
Viewing the evidence
Bloomberg says it’s seen camera footage that substantiates Kottmann’s claims to have accessed video feeds online, and says that the feeds stopped after it reported the incident to Verkada.
Verkada apparently told Bloomberg that it had “disabled all internal administrator accounts to prevent any unauthorized access.”
Administrator access is supposed to be how the infiltrators got in to start with – not so much by fiendish hacking as by a combination of poor cybersecurity practices and good luck:
The hackers’ methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet.
What’s likely to happen next in this saga isn’t clear.
Kottmann, at any rate, who apparently tweeted as @nyancrimew, is now suspended from the platform for violating Twitter rules.
What to do?
Don’t let this happen to you.
- Don’t create so-called super-admin accounts that make it possible for one individual to access any and all data at will. Make sure you not only have limits on just how much harm any individual user might do on their own, but also that you pay attention to any alerts warning you of users trying to get access to controlled resources.
- Don’t assume that all attackers are motivated by money. Attacks for old-school reasons, including simply “because it was there”, are no less intrusive or disruptive, especially if confidential customer data is at risk.
- Don’t forget that you can outource the work but not the responsibility. Assessing the cybersecurity strengths and weaknesses of the providers you work with may feel like a burden that slows your business down, but you need to ensure that your suppliers are operating at or above your own security standards.
- Keep an eye on your cloud assets in case you’re exposing data where you shouldn’t. Tools like Sophos Cloud Optix can’t stop you telling the right passwords to the wrong people, but they can help you to control your exposure and identify cloud assets that are visible where they aren’t supposed to be.
- Use end-to-end encryption wherever you can. If you are collecting surveillance data from customer sites but will never need to examine it yourself, encrypt it with your customers’ keys right at source and only ever transmit or store it in encrypted form.
Remember that even if you are collecting data from your customers so you can process it for them, such as doing real-time image recognition to generate alerts based on dangerous situations or prohibited access, you can still use end-to-end encryption inside your own network.
For example, encrypting data at source from a camera so that it can’t be decrypted until it reaches your (presumably additionally secured) image processing servers helps to limit the number of people and devices on your network where sensitive data could be intercepted and stolen.