Search This Blog

Showing posts with label Security Cameras. Show all posts

A Massive Security Breach for the Silicon Valley Start-Up


Verkada, a Silicon Valley security start-up that gives cloud-based security camera services, has witnessed a massive security breach. Hackers accessed more than 150,000 of the organization's cameras, including cameras in Tesla processing plants and warehouses, Cloudflare offices, Equinox gyms, medical clinics, prisons, schools, police stations, and Verkada's own offices, Bloomberg reports. 

As indicated by Tillie Kottmann, one of the members of the international hacker collective that breached the system, the hack was intended to demonstrate how effectively the organization's surveillance cameras can be hacked. In addition to the live feeds, the group likewise professed to have had access to the full video archive of all of Verkada’s customers. In a video seen by Bloomberg, a Verkada camera inside Florida hospital Halifax Health showed what had all the earmarks of being eight hospital staff members tackling a man and pinning him to a bed. Halifax Health is highlighted on Verkada's public-facing site in a case study entitled: “How a Florida Healthcare Provider Easily Updated and Deployed a Scalable HIPAA Compliant Security System.” 

In a statement to Bloomberg, a Verkada representative told: “We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this potential issue.” Following Bloomberg's request to Verkada, the group lost access to both the organization's live feeds and archives. 

The hack was relatively simple: the group figured out how to acquire "Super Admin"- level access to Verkada's system employing a username and password they found publicly on the internet. From that point onwards, they were able to access the entire company’s network, including root access to the cameras which, thus, permitted the group to access the internal networks of some of Verkada’s customers. 

The organization has likewise experienced harsh criticism in the past for allegations of sexism and discrimination after an incident in 2019, wherein a sales director utilized Verkada's office surveillance cameras to harass female associates by secretly photographing and posting pictures of them in a company Slack channel. Accordingly, Verkada's CEO offered individuals from the Slack channel a decision between leaving the organization or having their stock options cut.

Vulnerabilities with AvertX IP security cameras

Palo Alto Networks Unit 42, this February found three vulnerabilities present in AvertX IP cameras in their latest version.

These three vulnerabilities were found in models HD838 and 438IR of AvertX used as outdoor surveillance cameras with object-detection and infrared and technology built-in. The users can store the recordings both in the cloud on a Network Video Recorder (NVR) or in a memory card.

The three vulnerabilities that were found and confirmed by AvertX were:

CVE-2020-11625: User enumeration 

Faulty web user interface (UI) login attempts lead to varied results when the account doesn't exist that could enable attackers to use brute force attacks.

 CVE-2020-11624: Weak password requirements 

The software does not require users to change from the default password. When the user tries to login with the default password the pop shows 'password has been changed' but lets the user login.

 CVE-2020-11623: Exposed dangerous method or function 

An exposed UART interface exists that could be exploited by an attacker with physical access to the UART and change diagnostic and configuration functionalities.

 The Impact of these Vulnerabilities

The attackers can use a brute force attack by gaining legitimate accounts as the vulnerability allows to collect valid usernames and once the username is accessed it is easy to gain the password via brute force attack.

Since the camera can be accessed by using the default password- can easily make your camera and machine compromised. And the default password can be as easily accessed by reading a user manual, as a result, can connect to Iot devices.

Physical access to UATR ( universal asynchronous receiver-transmitter) can allow the attacker to change configurations, modify them, or even shut the camera down.

 The company AvertX, analyzed the faults and vulnerabilities and have released a patch with proper modifications and removed the UATR connector as well as changed the interface in the later produced batches.
2020 Unit 42 IoT Threat Report showed that security cameras make 5% of Interest Of Things (IoT) devices all over but they cover 33% of security issues related to IoT devices.