Surveillance and Facial Recognition Systems From Verkada Breached

William Turton, Bloomberg:

A group of hackers say they breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc., gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools.


Kottmann said their group was able to obtain “root” access on the cameras, meaning they could use the cameras to execute their own code. That access could, in some instances, allow them to pivot and obtain access to the broader corporate network of Verkada’s customers, or hijack the cameras and use them as a platform to launch future hacks. Obtaining this degree of access to the camera didn’t require any additional hacking, as it was a built-in feature, Kottmann said.

The hackers’ methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet. After Bloomberg contacted Verkada, the hackers lost access to the video feeds and archives, Kottmann said.

Jason Koebler and Joseph Cox, Vice:

The spreadsheet, provided by one of the hackers to Motherboard, shows more than 24,000 unique entries in the “organization name” column. Verkada’s cameras are capable of identifying particular people across time by detecting their faces, and are also capable of filtering individuals by their gender, the color of their clothes, and other attributes.


From the spreadsheet itself, it is not clear which specific customers are deploying Verkada’s facial recognition capabilities. But those features appear to be basic functions of the camera, and not add-ons. Verkada’s website advertises that “all” of its cameras include “Smart Edge-Based Analytics,” referring to the cameras’ facial recognition, person identification, and vehicle analysis tools. It adds the cameras can detect “meaningful events,” which can mean unusual activity and “unusual motion” as determined by the camera’s AI. After detecting faces, a companion web app allows the camera’s administrator to search over time for footage that includes that specific person.

Access to the cameras and video archives of thousands of clients was granted by a username and password that was publicly available on the web, from which these activists were able to explore Verkada’s network. Just a staggering degree of incompetence. Apparently, some of Verkada’s clients are in Canada — including at least one government agency I can find — and I am sure our Privacy Commissioner will dig this.