Hackers said they accessed internal video feeds at several companies, including Tesla Inc., TSLA -1.48% and at public agencies by breaching the network of security-camera vendor Verkada Inc., the latest cybersecurity incident in which a supplier unwittingly opened a back door into client networks.
Tillie Kottmann, one of the hackers, said the group found a username and password for a Verkada administrative account on the internet, permitting them to obtain the footage. That included footage from 222 cameras placed inside various Tesla factories and warehouses, Kottmann said in a message.
In all, the group could have accessed material from 150,000 Verkada cameras, according to Kottmann, who doesn’t identify as male or female and uses they as a pronoun.
Verkada has since disabled all internal administrator accounts to prevent any unauthorized access and has both internal and external teams investigating the matter, a spokesman said. The company said it has notified law enforcement and customers.
Although the hack was unsophisticated, with a crucial password left openly exposed, it adds to a number of attacks on networks launched through vendors. These “supply-chain hacks” have become a growing concern for cybersecurity professionals in recent years.
Those worries were amplified late last year when suspected Russian hackers breached U.S. government and corporate networks after compromising code many of the organizations used that was provided by little-known network-software company SolarWinds Corp. Microsoft Corp. said this month that hackers had targeted users of its Exchange software.
Verkada sells security cameras that customers manage over a web-based platform it calls Command, according to the company’s website. “By aggregating data across devices into a centralized platform, Command provides users with a complete picture of what’s going on across sites,” the site says. Thousands of devices can be connected to the platform, according to Verkada.
Tesla didn’t respond to requests for comment. The electric-vehicle maker told Bloomberg, which previously reported the incident, that hacked cameras were placed at a supplier.
The hack illustrates how buyers of software connected to the internet depend on their suppliers to follow security protocols and safeguard their own operations.
“Their security becomes your security,” said Jeremiah Grossman, chief executive at Bit Discovery, which helps companies track what they own online. Companies are commonly hacked by leaving assets exposed online, he said.
Kottmann said they pursued the effort because of “curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism,” adding, “It’s also just too much fun not to do.”
Kottmann also posted a screenshot on Twitter from what were described as an office for gym chain Equinox and of a video from inside a Bank of Utah office, according to the archived Twitter thread of the now-suspended account. Those companies couldn’t immediately be reached.
Other companies involved in the hack said they have taken steps to contain the problem.
Cloudflare Inc. said yesterday it was alerted that Verkada security cameras that monitor entrances and thoroughfares in some of its offices might have been affected.
“As soon as we became aware of the compromise, we disabled the cameras and disconnected them from office networks. No customer data or processes have been impacted by this incident,” the company said. The Verkada cameras were located in offices that have been officially closed for almost a year.
The hackers also accessed video footage from inside public agencies, such as the Madison County Jail in Huntsville, Ala., according to Bloomberg. A spokesman for the jail in Alabama didn’t immediately respond to a request for comment.
Founded in 2016, privately held Verkada raised $80 million in January of last year, giving it a valuation of about $1.5 billion, according to PitchBook.
Write to Micah Maidenberg at [email protected]
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
