When 150,000 video surveillance cameras get hacked, it’s big news. Even if the main reason for the hack was to make a point. Even if the major consequence is bad publicity for a video company (and, by extension, the entire video surveillance industry).

The target of the hack was Silicon Valley startup Verkada, which has collected a massive trove of security-camera data from its 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools. Previously, Verkada has been known for an aggressive sales approach and its intent to disrupt the traditional video market.

The data breach was accomplished by an international hacker collective and was first reported by Bloomberg. The reported reasons for the hack were “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism – and it’s also just too much fun not to do it,” according to Bloomberg.

Tesla amongst those impacted

The “fun” included access to a video showing the inside of a Florida hospital, where eight hospital staffers tackled a man and pinned him to the bed. Inside a Massachusetts police station, officers are seen questioning a man in handcuffsA view inside a Tesla warehouse in Shanghai, China, showed workers on an assembly line. Inside a Massachusetts police station, officers are seen questioning a man in handcuffs. There are even views from Verkada security cameras inside Sandy Hook Elementary School in Connecticut, where a gunman killed more than 20 people in 2012.

In a “security update” statement, Verkada reports: “Our internal security experts are actively investigating the matter. Out of an abundance of caution, we have implemented additional security measures to restrict account access and further protect our customers.”

Hacking was possible due to built-in feature

The hacker group was able to obtain “root” access on the cameras, meaning they could use the cameras to execute their own code, reports Bloomberg. Obtaining this degree of access to the camera did not require any additional hackingUsing that access, they could pivot and obtain access to the broader corporate network of Verkada’s customers or hijack the cameras and use them as a platform to launch future hacks, the hackers told Bloomberg. Obtaining this degree of access to the camera did not require any additional hacking, as it was a built-in feature.

Elisa Costante, VP of research for cybersecurity firm Forescout, calls the Verkada security camera hack "shocking."

"Connected cameras are supposed to provide an additional layer of security to organizations that install them,” she says. “Yet, as the Verkada security camera breach has shown, the exact opposite is often true. [It is worrisome that] the attack wasn't even very sophisticated and didn't involve exploiting a known or unknown vulnerability. The bad actors simply used valid credentials to access the data stored on a cloud server.”

Super Admin account had access to all cameras

Hackers gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. They found a username and password for an administrator account publicly exposed on the internet, according to Bloomberg. The hackers lost access to the video feeds and archives after Bloomberg contacted Verkada.Hackers lost access to the video feeds and archives after Bloomberg contacted Verkada

The results could have been worse, says Costante. "In this case, the bad actors have seemingly only resorted to viewing the footage these cameras have captured. But they are likely able to cause a lot more damage if they choose to do so, as our own research team has discovered. We were able to intercept, record and replace real-time footage from smart cameras by exploiting unencrypted video streaming protocols and performing a man-in-the-middle attack. This effectively gives criminals a virtual invisibility cloak to physically access premises and wreak havoc in the real world.”

Impact on broader video surveillance industry

The impact of a well-publicised cyber-attack on the broader video surveillance industry is also a concern. “As an industry, and as manufacturers in physical security, we cannot take these hacks lightly,” says Christian Morin, CSO & Vice-President of Integrations & Cloud Services, Genetec. “The potential broad-reaching impact of these hacks on physical security systems, including providing a beachhead to facilitate lateral movement onto networks, resulting in data and privacy breaches or access to critical assets and infrastructure, cannot be overstated. It is our responsibility and duty to users of our technology to prioritise data privacy and cybersecurity in the development, distribution, and deployment of video surveillance systems.”

Widespread government and healthcare use

The Verkada cameras are in widespread use within government and healthcare, which are by far the company’s most dominant verticals. Lesser verticals for them are manufacturing, financial and retail.The Verkada website pledges to take privacy seriously

Verkada’s line of hybrid cloud security cameras combines edge-based processing with the capabilities of cloud computing. Cameras analyse events in real-time, while simultaneously leveraging computer vision technology for insights that bring speed and efficiency to incidents and investigations. Command, Verakda’s centralised web-based platform, provides users with access to footage they need. Motion detection, people analytics, and vehicle analytics enable searches across an organization to find relevant footage.

The Verkada website pledges to take privacy seriously: “We are passionate about developing products that enhance the security and privacy of organizations and individuals. We believe that well-built, user-friendly systems make it easier to manage and secure physical environments in ways that respect the privacy of individuals while simultaneously keeping them safe.”

Download PDF version Download PDF version

Author profile

Larry Anderson Editor, SecurityInformed.com & SourceSecurity.com

An experienced journalist and long-time presence in the US security industry, Larry is SecurityInformed.com's eyes and ears in the fast-changing security marketplace, attending industry and corporate events, interviewing security leaders and contributing original editorial content to the site. He leads SecurityInformed's team of dedicated editorial and content professionals, guiding the "editorial roadmap" to ensure the site provides the most relevant content for security professionals.

In case you missed it

The Growing Popularity Of Personal Safety Apps
The Growing Popularity Of Personal Safety Apps

The past year has elevated consumer awareness about personal safety, from COVID-19 issues to social unrest, making safety top-of-mind and the need for personal safety solutions, even more prevalent. In addition, consumers spent more time at home, as schools closed, events were canceled and remote work increased. This prompted two major shifts that, in my opinion, most significantly opened the need for and raised the popularity of mobile safety solutions. Demand for grocery and food delivery apps surged Rise in use of app-based delivery services During the past 18 months, the use of app-based delivery services has skyrocketed During the past 18 months, the use of app-based delivery services has skyrocketed. With more use comes more interactions among strangers in homes and businesses, and while the majority of these moments are completely safe and convenient, incidents are happening, ranging from uncomfortable situations to physical assaults.   And, with more delivery drivers on the road, there are going to be more accidents among gig-economy workers. Based on recent estimates, food and grocery delivery are expected to remain popular, even as we get back to normal life. High popularity of mobile security apps and wearables With more work shifting from stationary locations to working on-the-go, mobile security apps or wearables can be a lifeline in all sorts of situations. It’s important for these mobile safety products to be comprehensive, dynamic and designed to address the full range of people’s safety and security needs, from providing simple human reassurance to dispatching emergency help. Domestic violence cases increased According to the National Domestic Violence Hotline, due to COVID-19 lockdown restrictions, domestic violence rose as a result of many victims being stuck at home with their abusers, while sheltering in place and working from home. Mobile safety apps, such as ADT’s SoSecure U.S. Attorneys General and other state-elected officials have endorsed mobile safety apps, like SoSecure by ADT These situations necessitate the need for discreet ways for victims to call for help. U.S. Attorneys General and other state-elected officials have endorsed mobile safety apps, like SoSecure by ADT, as a tool to help victims of domestic abuse, safely call for help, without alerting their abuser. Over the past year, the mobile safety app market has seen tremendous innovation, including more user-friendly ways to make SOS calls. Today, within a single app, a person can summon help hands-free, by saying a secret phrase, by text or by swiping a button. Extension of mobile safety into wearable devices And, users can connect with people trained to help in unsettling situations over video, which can be an effective deterrent and provide video evidence. We’ve also seen the extension of mobile safety into wearable devices, in order to make these devices more discreet and usable. There will always be some safety risks in our lives. However, the good news is there’s no need to live in a constant state of fear. The easiest, most direct way to be prepared and ready to ‘fight back’ is by having a personal safety tool in your pocket, a mobile safety app that is there, when you need it most.

Delta Scientific’s Vehicle Barriers Elevate Public Safety In Troubled Times
Delta Scientific’s Vehicle Barriers Elevate Public Safety In Troubled Times

Vehicle barriers first rose to the forefront of public attention after 9/11. The focus from 2001 to 2010 was on anti-terrorism, and vehicle barriers appeared at military and government facilities around the world. The U.S. Capitol breach on Jan. 6, 2021, brought heightened attention to the risks in a society that is increasingly fractured and volatile. Various protest events in recent months have made customers more aware of possible threats and prompted many to proactively install vehicle barriers and other systems to protect their premises. Shifting market focus Since 2010, and with the anti-terrorism market mostly saturated, the market focus for vehicle barriers shifted to public safety applications such as stadiums, schools, universities, large tech companies, and data centers. It’s an example of deploying technology developed in “wartime” to the broader public good, says Keith Bobrosky, the new president of vehicle barrier company Delta Scientific Corporation. Withstanding the pandemic The only remaining hurdle for Delta Scientific is to deal with continuing uncertainty going forward Like many in the security market, Delta Scientific has withstood a tumultuous two years during the duration of the novel coronavirus pandemic. They have “come through with flying colors,” says Bobrosky. The company never closed down, and its vaccination rate is high. The only remaining hurdle is to deal with continuing uncertainty going forward. Delta Scientific’s commitment Bobrosky began working in sales at Delta Scientific in 2007. Along the way, he has expanded into management, production, and engineering management. Through it all, he has seen a company that provides employees the autonomy to do their jobs and who have a strong commitment to customers, he says. The privately-owned company is nimble; decisions can be made quickly to respond to market changes, adds Bobrosky. Addressing needs during a pandemic The company was concerned about lower demand when the economy shut down, says Bobrosky, but they did not see an impact. The business was steady as a result of government entities and other organizations taking advantage of being closed to evaluate and address security needs. “We saw a decent flow of government business because of the shutdown,” says Bobrosky. Delta Scientific focuses on the domestic U.S. market but also has a presence selling to partners in the Middle East and Europe, where the equipment is known for its ability to take multiple hits. Even after withstanding an impact according to ASTM standards, their barrier is still operational. Increased steel purchased Delta Scientific ramped up its purchasing power, staving off any shortages and striving to keep lead times short As material shortages have spread through the industry, Delta Scientific has ramped up its purchasing power, staving off any shortages and striving to keep lead times short. Steel is their major component – literally, 98% of the weight of the products is steel, and there are 5,000 pounds of steel per barrier. The price of steel has gone up and there have been shortages. The company has maintained supply by leveraging its reputation and purchasing power. Most of their components are made in the USA, which has helped them dodge the recent challenges of the global supply chain.  Application of barriers and bollards Automotive dealerships are another market for Delta Scientific; their bollards and barriers are used as anti-theft devices to keep vehicles from being stolen from a sales lot. Delta Scientific’s products can foil car thieves who might otherwise use a large vehicle to plow through a barrier and then enable a parade of accomplices to drive away in additional vehicles. Auto resellers buy anti-terrorism products to protect their inventories. DSC550 Open Frame vehicle barrier Delta Scientific’s products have evolved from push buttons and relay to touch screens and microprocessors New efficient product designs enable Delta Scientific to use less steel while keeping prices competitive and maintaining crash ratings. The products are more innovative, says Bobrosky. New barriers include the DSC550 Open Frame vehicle barrier, which does not block the view as solid barriers do. During the last decade control systems for Delta Scientific’s products have evolved from push buttons and relays to touch screens and microprocessors, although some customers still prefer the simplicity of the older approach. Portable crash barriers The equipment can also be controlled remotely and integrated with PSIM-type systems. Although the systems are stand-alone, some clients have been toying with the idea of controlling them through the internet, emphasizing the importance of appropriate cybersecurity. A separate line of portable crash barriers can be towed into place in 15 minutes by a vehicle or even a golf cart. They are used for events such as the Democratic and Republican National Conventions, the Oscars, music festivals, etc. There are hundreds of units in the field, available as needed for various events and rented out to event management companies and other organizers. Improving customer relations  As the president of Delta Scientific, Bobrosky says his biggest opportunity is to continue improving customer relations – a never-ending goal. He will also strive to increase communication. Looking ahead, additional crash tests are scheduled for 2022, and the company will continue to look for ways to “do more with less.”

Access Control Vs. Traditional Locks: Which Is Better & How?
Access Control Vs. Traditional Locks: Which Is Better & How?

The concept of security has substantially upgraded because of technological advancements. We have seen a shift from mechanical locks to electronic locks and door access control systems which are more relied upon nowadays for watertight security and safety. But, choosing the system that is the best for you requires understanding how both these technologies work. In this article, you will get a clear idea of: How electronic locks are better than traditional locks The difference between access control systems and new locking mechanisms Why biometric technology is the best access control system What are traditional locks? These are mechanical locks having strong metal deadbolts, knob locks, levers, etc. They always require a matching physical key. Mechanical locks are easy to install and can protect houses and small offices. However, their keys can be copied easily. Anyone with a key can open a mechanical lock, no matter if it isn’t the owner. Insight: The only advantage of mechanical locks is they’re very modestly priced, so if your security requirements aren’t very complex, mechanical locks can serve you well. The new-age electronic locks Electronic or digital door locks give you increased control over who can enter your premises, extending greater security and accessibility. They are operated using cards or biometrics. Cards cannot be copied without the owner or the manufacturer’s knowledge. Some smart digital locks also provide information on who accessed your door and when, and any attempts of forced entry.  Insight: Although more costly than traditional locks, electronic locks are a better option and investment. What is access control? Access control is a comprehensive system of security that covers all the doors or access points of your premises, only allows entry to people who are registered in the system, exercises surveillance in terms of IDing each user requesting access, and maintains detailed records of all transactions done on the system. The elements required for installing and operating an access control system are: The access reader – This is installed on or beside the door or the access point, is connected to the electric lock, and acts upon the instructions programmed into it by the administrator. The access key – An RFID reader uses an RFID card key, and a biometric reader uses a biometric identifier (fingerprint, palmprint, etc.). The control panel – This stores all the information of the access keys, employees, visitors, etc. and reads commands from the key and sends it to the reader. Electronic lock – The access control door locks are controlled by the control panel. Access control systems go beyond electronic locks as they bring your entire premises under one security framework for convenient monitoring. Why Biometric Access Control Systems Are The Best Bet Biometrics – the science of evaluating features of the human body to establish your identity. Biometric technology has been earning immense approval all over the world in the last two decades. From quick access to managing records of visitors, biometrics does it all, making it the best access control system in use.  As a general practice, companies looking to install biometric security solutions should consider the following points to make their decision easier and more accurate: The purpose for which the system is to be installed. The group of employees who will be using it. The area and scale where it is going to function. Understanding Biometric Access Control Mechanisms According to reports, biometric verification was first encouraged by law enforcement agencies in the 1800s to identify criminals. Later, it was adopted by businesses and large companies for recording the attendance of their employees and maintaining records. Today, technological advancements have developed biometric access control & security systems that can analyze an array of biometric identifiers: Facial Recognition  Fingerprint Recognition Voice Recognition  Iris Recognition Retinal Scans The easiest to install and the most common biometric ACS (access control system) is fingerprint recognition. They’re highly preferred by organizations of all scales and sizes and are easy for employees to operate as well. Next in line is facial recognition, which is slightly expensive due to its equipment and tech, but highly adopted, nevertheless. This has become possible due to facial unlocking systems flooding the smartphone market and making this technology more normalized, plus the onset of the covid-19 pandemic that surged the demands for contactless solutions everywhere.  Insight: For this reason, many biometric access control system manufacturers develop scalable devices that can accommodate multiple identifiers as per the client’s necessities. A unique benefit of the voice recognition component in access control mechanisms is ‘convenience with fun’. We cannot deny the expediency of "Hello Google", "Hey Siri" and "Alexa" in Google Assistant and Apple's voice recognition facilities. Voice recognition is a comparatively costlier access control mechanism and so small companies hesitate to employ it.   Insight: Voice recognition is a developing technology; it can become cost-efficient in the future.   Both iris recognition and retinal scans are ocular-based biometric identification technologies that seem similar but are actually quite different. A retina scan is performed by casting a beam of low-energy infrared light into a person’s eye as they look through a scanner’s eyepiece at close range. Iris scanning uses camera technology to obtain a detail-rich image mapping out the intricate structure of the iris. Overview: Retina scanning is more invasive than iris scanning because the retina is positioned at the back of the eye. Iris scans take a picture of the iris from a distance, whereas retina scanning takes a picture of the iris by putting the person's eye close to the scanner. Insight: Companies looking to install these 2 systems should consider the users as retina scanning works the best for in-person authentication, and iris scanning can be done digitally. How Does Access Control Transcend All Other Locking Systems? The number of benefits that modern access control systems offer is quite evident. They encompass all features of traditional as well as electronic locks and amplify security to a significant level. Moreover, biometric access control raises the bar by eliminating the risks of keys/ proximity cards getting stolen and enforcing identity-based access so that only the one who is authorized can enter.