Hackers access security cameras inside Cloudflare, jails, and hospitals

Hackers say they broke into the network of Silicon Valley startup Verkada and gained access to live video feeds from more than 150,000 surveillance cameras the company manages for Cloudflare, Tesla, and a host of other organizations.

The group published videos and images they said were taken from offices, warehouses, and factories of those companies as well as from jail cells, psychiatric wards, banks, and schools. Bloomberg News, which first reported the breach, said footage viewed by a reporter showed staffers at Florida hospital Halifax Health tackling a man and pinning him to a bed. Another video showed a handcuffed man in a police station in Stoughton, Massachusetts, being questioned by officers.

“I don’t think the claim ‘we hacked the internet’ has ever been as accurate as now,” Tillie Kottmann, a member of a hacker collective calling itself APT 69420 Arson Cats, wrote on Twitter.

Hardcoded credentials

Kottmann told Ars that the hack was made possible after Verkada exposed an unprotected internal development system to the Internet. It contained credentials for an account that had super admin rights to the Verkada network. Once inside the network, the hackers said they had access to feeds from 150,000 cameras, some of which provided high-definition video and used facial recognition.

In a statement, a Verkada spokesperson wrote: “We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”

A Cloudflare representative, meanwhile, wrote:

This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised. The cameras were located in offices that have been officially closed for nearly a year. As soon as we became aware of the compromise, we disabled the cameras and disconnected them from office networks. To be clear, no customer data or processes have been impacted by this incident.

Tesla didn’t immediately respond to a request for comment.

Kottmann is a Switzerland-based software engineer who last year leaked 20GB of Intel source code and proprietary data. Other companies whose data has reportedly been breached by Kottmann include AMD, Microsoft, Adobe, Lenovo, Qualcomm, and Motorola. Those breaches also relied on hardcoded credentials in Internet-exposed repositories.

Kottmann said the hackers collected about 5GB of data from Verkada but could have obtained much more.