Earlier this week, cloud camera startup Verkada was breached and hackers gained access to camera systems located in firms such as Tesla and Cloudflare.
The incident is odd for a number of reasons. For instance, the hackers claim they found the username and password on the public web which granted them Super Admin status, effectively giving the hackers the keys to the kingdom.
While Super Admin accounts aren’t strange, they aren’t meant to be especially common within an organisation. Support staff may have Super Admin access to solve a client’s problem while engineers might have that level of access to solve IT related problems.
But to have that sort of account just sitting on the web waiting for anybody to spot it is odd.
Now Bloomberg reports that more than 100 Verkada employees had Super Admin accounts allowing them to view the camera feeds of clients. While there is no proof that employees watched Tesla as it purchased Bitcoin, the pervasiveness of 100 Super Admin accounts is concerning.
“We literally had 20-year-old interns that had access to over 100 000 cameras and could view all of their feeds globally,” a former Verkada employee told Bloomberg (paywall).
Verkada says that its training makes it clear that nobody, not even support staff, can view a client’s camera systems without permission but there are several more details that make this statement a bit pointless.
For instance that former employee reports that when accessing a camera feed a reason needed to be provided. Unfortunately it’s reported that nobody checked those logs.
“You could put whatever you wanted in that note; you could even just enter a single space,” the former employee says.
Beyond that, Super Admin users could also un-hide a client’s video feed if they had set it to private.
Worse still – yeah it just keeps getting worse – Verkada employees reportedly raised concerns about the level of access Super Admin accounts had.
Further to this research firm IPVM published a blog detailing Verkada’s Super Admin functionality and its various pitfalls and missteps.
What started out as a seemingly unfortunate hack has now snowballed into the various failings of a security company to secure its processes.
We have a feeling this story is far from over.
[Image – CC 0 Pixabay]