Artificial intelligence and video security company Verkada was breached, giving hackers access to more than 150,000 Internet-connected security cameras used inside schools, cells, hospital ICUs, and major companies like Tesla, Nissan. , Equinox, Cloudflare and others.
The hack was carried out by an anti-corporate hactivist group called APT-69420, based in Switzerland. According to the group’s representative, Till Kottmann, they accessed Verkada’s systems on March 8 and the attack lasted 36 hours. She described Verkada, a startup based in Silicon Valley, as a “fully centralized platform” that made it easy for his team to access and download images from thousands of security cameras. The leaked images appear to include major companies and institutions, but not private households.
The video and images are intended to capture a variety of activities that may be sensitive, such as security video of the Tesla car manufacturing line and a screenshot of the inside of security company Cloudflare. Some of the material is very personal, including a video of patients in hospital intensive care units and prisoners inside the Madison County Jail in Huntsville, Alabama.
Kottman described security on Verkada systems as “non-existent and irresponsible,” and said his group targeted the company to demonstrate how easy it is to access Internet-connected cameras located in highly sensitive locations.
Verkada said they notified their clients of the attack and that their security teams are working with an outside security firm to investigate it. Verkada told CBS News: “We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and the external security firm are investigating the scale and scope of this issue, and we have notified police”.
The FBI had no comment. CBS News has reached out to Tesla and Equinox, but they were not available for comment at the time this story was published.
Kottmann provided CBS News with a 5-gigabyte archive containing videos and images of the hack, describing the attack as “non-technical” and not difficult to carry out.
Kottmann said his group discovered a Verkada administrator username and password stored in an unencrypted subdomain. The company, he said, exposed an internal development system to the Internet, which contained hard-coded credentials for a system account that it said gave them full control over their system with “super administrator” rights.
“We did very broad vector scans for vulnerabilities. This one was easy. We just used their web application like any user would, except we had the ability to switch to any user account we wanted. We didn’t access any servers. We just started Session into your web UI with a highly privileged user. [account]”Kottmann said.
Kottmann said his hacking group is not motivated by money or sponsored by any country or organization. “APT-69420 is not endorsed by any nation or corporation, endorsed solely for being gay, fun and lawless,” he said.
When asked if he feared repercussions, Kottman replied, “Maybe I should be a little more paranoid, but at the same time, what would change? I’m going to be as objective as I am now.”