Security camera hack exposes thousands of video feeds

A security camera hack at an IoT startup exposed the live video feeds and the stored data of thousands of customers. In this article, we’ll talk about the breach and explain how it happened. We’ll also tell you how to make your own home security cameras safer.

Background to the incident

This week, hackers breached the network of IoT security camera start-up Verkada. The company provides web-accessible video surveillance for businesses, healthcare facilities, financial institutions, schools, and governments. 

During the incident, approximately 150,000 security cameras were compromised, affecting the thousands of organizations that use Verkada’s services. The hackers were able to access live video feeds from restricted areas monitored by Verkada cameras. In addition, they were able to view users’ archived video and images. The breach affected organizations both large and small, including such famous names as Tesla and web infrastructure giant Cloudflare. 

Who was behind the Verkada security camera hack?

The “good news” in this story is that the hackers didn’t really want to harm Verkada’s customers. According to reports, they were simply “hacktivists” who wanted to call attention to the prevalence of surveillance in modern life. 

In terms of how the breach went down, the hackers themselves provided the details. Tillie Kottmann, a member of the group who spoke to the media, says that they discovered login details for a Verkada admin account exposed on the web. Armed with those credentials, they were able to enter Verkada’s corporate network — and use many of the company’s internal administrative tools. Because they had privileged access, the hackers could see customers’ live video feeds, and download archived video as well.

After the breach, the group shared the details of their successful hack with the media. Verkada, for its part, contained the breach within a day or so of the initial intrusion.

How to prevent home security camera hacks

The Verkada security camera hack primarily affected organizations, not individuals. However, many people use IoT security cameras in their homes. And these can be just as vulnerable to hacking (if not more so) than the cameras in the Verkada hack.

So what steps can home users take to prevent hackers from accessing their home security cameras? Here are 3 basic recommendations:

1. Choose IoT products carefully

   IoT devices in general have a poor reputation for security. There are several reasons for this. For one thing, many smart device manufacturers are new to the business, and have limited experience with cybersecurity. IoT “things” also tend to be hot sellers, leading many manufacturers to cut corners on secure development in the rush to get their products to market. Unfortunately, all of this can result in highly vulnerable devices. If you’re considering an IoT home security camera, use our IoT buyer’s guide to make sure you’re getting the safest option possible.

2. Set up IoT devices for security

   The Verkada hack happened because someone left admin credentials exposed to the web. Unfortunately, many home users of IoT devices make similar mistakes. They don’t change their devices’ default login credentials, or they use weak, easily guessed passwords. They leave IoT devices exposed to the open web unnecessarily. And they fail to take the most basic precautions required to set up a smart home for security. If you’re going to bring a web-accessible smart device into your home, whether it’s a security camera or anything else, make sure you’re following best practices for secure IoT device setup.

3. Use end-to-end encryption

   Some home security camera manufacturers offer end-to-end encryption (E2EE) for video. Video protected by E2EE can’t be viewed by third parties — even if they work at the companies whose servers are handling the video. This is because the encryption keys needed to “unscramble” the encrypted data are only stored on the security camera itself and the trusted device used to access the video. As of January 2021, Amazon’s Ring home security cameras have started to offer E2EE to some users (the full rollout of the feature is expected in the future). Users of Apple HomeKit Secure Video are already protected by E2EE. In addition, because HomeKit processes video locally on a “home hub” device, instead of on Apple’s servers, HomeKit users can still take advantage of features like face recognition and event detection without sacrificing E2EE.

If you use IoT home security cameras, follow the recommendations above to protect yourself from a potential hack. If you’d like to hear a discussion about the growing phenomenon of neighborhood security cameras, and some of the concerns that these are causing, have a listen to Episode 154 of The Checklist podcast.