Hack of security company exposes footage from 150,000 connected cameras
Video and AI security company Verkada was breached, giving hackers access to over 150,000 internet-connected security cameras that were being used inside schools, jail cells, hospital ICUs, and major companies like Tesla, Nissan, Equifax, Cloudflare and others. The hack was conducted by a loose-knit anti-corporate hactivist group called APT-69420, based in Switzerland. According to the group's representative Till Kottmann, they accessed Verkada's systems on March 8 and the hack lasted for 36 hours.
He described Verkada, a Silicon Valley-based startup, as a "fully-centralized platform" which made it easy for his team to access and download footage from thousands of security cameras. The leaked footage appears to include major companies and institutions, but not private homes.
The video and images purport to capture a range of activities that might be sensitive, like security video from the Tesla car manufacturing line and a screenshot from inside the security firm Cloudflare. Some of the material is highly personal, including video of patients in hospital intensive care units and prisoners inside the Madison County Jail in Huntsville, Alabama.
Kottman described the security on Verkada systems as "nonexistent and irresponsible," and said his group targeted the company to demonstrate how easy it is to access internet-connected cameras placed in highly sensitive locations.
Verkada said they notified their customers about the hack, and that their security teams are working with an external security firm to investigate it.
Verkada told CBS News, "We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement."
The FBI did not comment. CBS News has reached out to Tesla and Equifax but they were unavailable for comment at the time this story was published.
Kottmann provided CBS News with a 5 gigabyte archive containing video and images from the hack, and described the attack as "non-technical" and not difficult to pull off.
Kottmann said that her group discovered a Verkada administrator username and password stored on an unencrypted subdomain.
The company, she said, exposed an internal development system to the internet, which contained hard coded credentials for a system account which she said gave them full control over their system with "super admin" rights.
"We do scans for very broad vectors looking for vulnerabilities. This one was easy. We simply used their web app the way any user would, except we had the ability to switch to any user account we desired. We did not access any server. We simply logged into their web UI with a highly privileged user [account]," Kottmann said.
Kottmann said her group of hackers is not motivated by money or sponsored by any country or organization. "APT-69420 is not backed by any nations or corporations, backed by nothing but being gay, fun and anarchy," she said.
When asked if she feared repercussions, Kottman replied, "Maybe I should be a little more paranoid, but at the same time what would it change? I'm just going to be as targeted as I am right now."
The FBI says that Brian Mock went to the U.S. Capitol on Jan. 6 unsure of what he would face, but as he shared on social media just days later, he was prepared to fully commit to whatever came his way — even death. “I went to the Capitol not knowing what to expect but said goodbye to my 4 children, not sure if I was going to come home,” Mock wrote on Facebook on Jan. 8, according to federal documents charging Mock with multiple crimes. “I was at peace with that knowledge.” Mock, 43, is one of the latest people to be arrested for crimes related to the siege on the U.S. Capitol, according to a statement from the Justice Department.
The deadly insurrection at the US Capitol was “planned in plain sight” but intelligence failures left police officers exposed to a violent mob of Trump supporters, a Senate investigation has found. The Capitol police intelligence division had been gathering online data since December about plots to storm the building on 6 January, including messages such as: “Bring guns. It’s now or never.” But a combination of bad communications, poor planning, faulty equipment and lack of leadership meant the warnings went unheeded, allowing the insurrectionists to overrun the Capitol and disrupt certification of Joe Biden’s election victory. Five people died.
Federal prosecutors in Brooklyn have been investigating whether several Ukrainian officials helped orchestrate a wide-ranging plan to meddle in the 2020 presidential campaign, including using Rudolph W. Giuliani to spread their misleading claims about President Biden and tilt the election in Donald J. Trump’s favor, according to people with knowledge of the matter.
Manhattan prosecutors pursuing a criminal case against former President Donald Trump, his company and its executives have told at least one witness to prepare for grand jury testimony, according to a person familiar with the matter — a signal that the lengthy investigation is moving into an advanced stage. The development suggests that the Manhattan district attorney's office is poised to transition from collecting evidence to presenting what is likely a complex case to a grand jury, one that could result in the jury considering criminal charges.