Employees of cloud-based surveillance firm Verkada had widespread access to feeds from customers’ cameras, according to new reports from Bloomberg and The Washington Post.
Verkada’s systems were recently breached by a “hacktivist” collective which gained access to more than 150,000 of the company’s cameras in locations ranging from Tesla factories, to police stations, gyms, schools, jails, and hospitals. The group, who call themselves Advanced Persistent Threat 69420, stumbled across log-in credentials for Verkada’s “Super Admin” accounts online. They publicized their findings, saying they were motivated by “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”
Super Admin accounts gave hackers and employees access to tens of thousands of feeds
Now, anonymous Verkada employees say the same “Super Admin” accounts that the hackers accessed were also widely shared in the company itself. More than 100 employees had Super Admin privileges, reports Bloomberg, meaning that these individuals could browse the live feeds from tens of thousands of cameras around the world at any time. “We literally had 20-year-old interns that had access to over 100,000 cameras and could view all of their feeds globally,” one former senior-level employee told the publication.
Verkada, meanwhile, says access was limited to employees who needed to fix technical problems or address user complaints. “Verkada’s training program and policies for employees are both clear that support staff members were and are required to secure a customer’s explicit permission before accessing that customer’s video feed,” said the Silicon Valley firm in a statement given to Bloomberg.
The Washington Post, though, cites the testimony of surveillance researcher Charles Rollet, who says individuals with close knowledge of the company told him that Verkada employees could access feeds without customers’ knowledge. “People don’t realize what happens on the back-end, and they assume that there are always these super-formal processes when it comes to accessing footage, and that the company will always need to give explicit consent,” said Rollet. But clearly that’s not always the case.”
Another former employee told Bloomberg that although Verkada’s internal systems asked workers to explain why they were accessing a customer’s camera, this documentation was not taken seriously. “Nobody cared about checking the logs,” said the employee. “You could put whatever you wanted in that note; you could even just enter a single space.”
Verkada’s cloud-based cameras were sold to customers in part on the strength of their analytical software. One feature called “People Analytics” let customers “search and filter based on many different attributes, including gender traits, clothing color, and even a person’s face,” said Verkada in a blog post. Their cloud-based systems that gave customers’ easy access to their camera’s feeds also enabled the breach.
The hacker collective Advanced Persistent Threat 69420 (the name is a nod to the taxonomy used by cybersecurity companies to catalog state-sponsored hackers combined with the meme numbers 69 and 420) say they wanted to inform the public of the dangers of such ubiquitous surveillance. The breach “exposes just how broadly we’re being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit,” one member of the group told Bloomberg. “It’s just wild how I can just see the things we always knew are happening, but we never got to see.”