Hackers said they accessed internal video feeds at several companies, including Tesla Inc., and at public agencies by breaching the network of security-camera vendor Verkada Inc., the latest cybersecurity incident in which a supplier unwittingly opened a back door into client networks. Tillie Kottmann, one of the hackers, said the group found a username and password for a Verkada administrative account on the internet, permitting them to obtain the footage. That included footage from 222 cameras placed inside various Tesla factories and warehouses, Kottmann said in a message. In all, the group could have accessed material from 150,000 Verkada cameras, according to Kottmann, who doesn't identify as male or female and uses they as a pronoun. Verkada has since disabled all internal administrator accounts to prevent any unauthorized access and has both internal and external teams investigating the matter, a spokesman said.
More than 100 employees at security camera startup Verkada Inc. could peer through the cameras of its thousands of customers, including global corporations, schools and police departments, according to three former employees aware of the company's security protocols. Verkada was breached on Monday, when hackers gained access to what's known as a "Super Admin" account that allowed them to see all of the live feeds and archived videos of Verkada's customers, Bloomberg reported. With access to 150,000 cameras, the hackers were able to see inside Tesla Inc., as well as watch police interviews and witness hospital employees tackling a patient. The use of Super Admin accounts within Verkada was so widespread that it extended even to sales staff and interns, two of the employees said. "We literally had 20-year-old interns that had access to over 100,000 cameras and could view all of their feeds globally," said one former senior-level employee, who asked not to be identified discussing private information.
A report from Bloomberg says that hackers breached the security of Verkada, an enterprise surveillance video company, and were able to access live feeds from over 150,000 cameras. The reporter were in contact with the hackers, who said they had access to hundreds of cameras in Tesla facilities, as well as other companies like Cloudflare. In a statement, a spokesperson for Verkada said "We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement." The hackers said they lost access after Bloomberg contacted the company, but that they initially got in via a "Super Admin" login that was exposed on the internet, then used built-in camera features to obtain root access and remote control.
Following reports that live feeds from over 150,000 of its security cameras were exposed, including those situated in prisons, hospitals, schools, police stations, and Tesla factories, Verkada has disabled accounts to prevent further access. According to Bloomberg, a group of hackers accessed the data collected by the Silicon Valley startup. The hackers are reported as saying they also have access to the full video archive of all Verkada customers. Bloomberg claims to have sighted footage validating the details of the breach. Verkada has described itself as bringing "the ease of use that consumer security solutions provide, to the levels of scale and protection that businesses and organisations require".
Tillie Kottmann, a 21-year-old hacker, has been raided by Swiss authorities and their devices seized, Bloomberg reports -- days after helping to reveal how Silicon Valley security startup Verkada's own security was so poor that that hackers were able to access over 150,000 of the company's cameras to see the insides of schools, jails, hospitals, police stations, and Tesla factories. The raid doesn't have anything to do with Verkada, according to Bloomberg, but instead an "alleged hack that took place last year," and interestingly, a Swiss authority pointed Bloomberg to the US Department of Justice for further questions. It's not clear which hack the DOJ might be interested in, as Kottmann has been continually sharing leaked files from various companies for months, but one sticks out as likely: Kottman leaked a huge collection of secret documents and source code from chipmaker Intel last year, and Intel vowed to investigate. Bloomberg says it's seen the search warrant, which mentions that the FBI was looking into the "theft and distribution of information including source code, confidential documents and internal user data." Kottmann has suggested in the past that they've been unfairly targeted for ethical hacking, particularly by Twitter, which suddenly chose to enforce its rules on ban dodging by suspending Kottmann's account just a few days after the Intel leak in August 2020.