Hacker "anarchists" easily gained access to 150,000 security cameras throughout the U.S. in the most extensive breach recorded.
Hit by the unprecedented intrusion were hundreds of customers of Verkada, Inc., a California-based startup that makes enterprise security software and hardware.
Among the Verkada customers whose security cameras were compromised are Tesla, Inc., cloud computing firm Clouldflare, Inc., the luxury fitness company Equinox Group, Florida-based hospital system Halifax Health, Tempe St. Luke's Hospital in Arizona, and the Madison County Jail in Alabama.
Apart from gaining access to the cameras and their feeds, the hackers also managed to penetrate the corporate networks of Verkada's customers by exploiting the security camera breach.
The hack was carried out by an international hacker collective that had previously hit Intel Corp. and carmaker Nissan Motor Co. Ltd. Tillie Kottmann, one of the hackers who claimed credit for the hack, told Bloomberg News the group wanted to illustrate the pervasiveness of video surveillance and the ease with which systems can be defeated. The group gained access to the Verkada network Monday morning.
Kottmann said the group's motives were "lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism - and it is also just too much fun not to do it."
Kottmann said the group obtained "root" access to the cameras, meaning they could command the cameras to execute their own code. This access also allowed them to obtain access to the corporate network of Verkada's customers in some instances.
It also enabled them to hijack cameras and use them as a platform to launch future hacks. Kottmann said this degree of camera access didn't require any additional hacking since it was a feature built into the system by Verkada.
Cybersecurity experts said the hackers used relatively unsophisticated methods to overpower Verkada's system. Hackers gained access using a "Super Admin'' account that allowed them to peer into the cameras of all of its customers.
Kottmann revealed they also exploited a user name and password for an administrator account publicly exposed on the internet. She said their exploit "exposes just how broadly we're being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit."
"It's just wild how I can just see the things we always knew are happening, but we never got to see." said Kottman.
