Major Hack of Camera Company Offers Four Key Lessons on Surveillance
We learned last week that a group of hackers to installed by a surveillance camera company, and said they were able to access live feeds from 150,000 cameras inside schools, hospitals, gyms, police stations, prisons, offices, and women鈥檚 health clinics. Some of the video footage 鈥 showing patients in their hospital rooms, for example 鈥 was extremely privacy-violating.
The company, Verkada, does not merely sell security cameras; it also provides a variety of surveillance services to its clients, including cloud storage of video footage and remote access to camera feeds on smartphones or other devices. Because the company streams video to a centralized source (its servers) to provide these services, the hackers were able to access not just a few cameras here and there, but a vast number of video feeds.
What does this breach tell us about the state of security today? While the story has many dimensions, it offers four principal reminders about surveillance, video, and internet-connected devices.
1. The dangers of connected cameras
When you hook up a camera to the internet, you are making it vulnerable. And you are making the privacy of anybody recorded by that camera vulnerable. We have previously warned people who are considering buying a doorbell camera or other internet-connected camera for their home 鈥 or other kinds of 鈥淚nternet of Things鈥 devices 鈥 that they are susceptible to hackers. In this case, the hackers reported that they were able to watch video showing such things as a man struggling with staffers inside a psychiatric hospital, a man being interrogated in a police station, patients in a hospital intensive care unit, and a family doing a puzzle inside their home. The hackers reported accessing not just live video but also videos customers had saved to the cloud 鈥 in other words, onto Verkada鈥檚 servers.
Digital security is difficult. The bottom line is that it鈥檚 simply easier to attack an online asset than to defend it. To protect it, your defenses have to be perfect, while an attacker only needs to find one way to succeed 鈥 one weak password, one unpatched vulnerability, or one gullible worker. Many companies, especially less established ones, don鈥檛 make cybersecurity a priority. That鈥檚 because good cybersecurity is expensive, and with the occasional exception of a few days鈥 bad headlines, the consequences of failure typically fall on others, rather than on the company.
2. Device vendors can be device snoopers
Internet-connected devices are vulnerable to three broad categories of privacy invasion: hackers, the government, and the companies that make the devices. We don鈥檛 know of any government intrusion here 鈥 though any collection of sensitive data is vulnerable to domestic or foreign governments through legal or other processes. But this breach is certainly a reminder of that third vulnerability.
The intruders gained access through a pre-existing Verkada 鈥淪uper Admin鈥 account that let employees watch video from any of the company鈥檚 cameras. The very existence of such an account is a scandal in itself. and reported that the use of these Super Admin accounts was widespread within Verkada, with more than 100 employees having access. One former executive told Bloomberg that such access extended to sales staff and 鈥20-year-old interns.鈥 It鈥檚 unclear how many (if any) of Verkada鈥檚 customers knew about this centralized access, though if any did, they weren鈥檛 notified when it was happening 鈥 and it鈥檚 pretty likely they didn鈥檛 expect it to be so casually used.
Unfortunately, such centralized access to surveillance feeds by vendors is hardly surprising. Ring, the Amazon-owned doorbell camera company, gave workers in the world together with customer details. Other companies offering similar services have also granted such access, including , , , and .
3. The inappropriate deployment of cameras
By providing a window into video surveillance systems across a wide range of institutions, the Verkada hack reveals how some of those institutions deploy cameras in inappropriate or unethical ways.
If I were lying in an ICU bed, I know I wouldn鈥檛 want a camera on me. And if there was a camera set up for observation by medical staff, I certainly wouldn鈥檛 want it sending data to the internet. Nor would I want an internet camera on me while I worked out at a gym or visited a clinic, or on my children at school. If there was a camera, I鈥檇 like to know it 鈥 and if it were connected to the internet or using face recognition I鈥檇 like to know that, too.
Videos viewed by Bloomberg showed that in one Alabama jail, cameras were hidden inside vents, thermostats, and defibrillators, and tracked both incarcerated individuals and correctional staff using face recognition. If that jail could do that, so presumably could any of the company鈥檚 clients who chose to do so.
Aside from Verkada鈥檚 failings, these institutions have failed the people who appeared on their cameras. Most of the subjects of this surveillance were not Verkada鈥檚 customers, had no relationship with Verkada, and probably were not even aware of the company鈥檚 existence. Even if Verkada had the best, most transparent contractual relationship with its customers, many of those subjects were still being surveilled in ways they shouldn鈥檛 have been.
4. The power of face recognition and video analytics
Among the services that Verkada offers are face recognition and other video analytics, including 鈥減eople and car detection鈥 as well as intelligent search functions that for 鈥渟earch and filter based on many different attributes, including gender traits, clothing color, and even a person鈥檚 face.鈥
We have written in detail about how video analytics can let computers not just store video but understand, analyze, and intelligently search it. That is making video a more powerful and intrusive surveillance mechanism. But it could also make video a more valuable asset for hackers. If face recognition or other characteristics are pre-computed, for example, the video archive could become more manageable to an attacker looking for a specific target.
In that respect, one finding was troubling: According to images viewed by Bloomberg, cameras in the offices of the company Cloudflare were using face recognition, but the company said that it has 鈥渘ever actively used it.鈥 If the company is telling the truth, that would suggest that face recognition was being applied to a customer鈥檚 video by Verkada without that customer鈥檚 knowledge.
These four lessons should be taken to heart by policymakers, institutions, and individuals. The Verkada hack involved a veritable Russian nesting doll of victims: The hackers breached Verkada, which appears to have been intruding upon its customers by allowing free access to their video feeds. And those customers betrayed those who appeared on Verkada鈥檚 cameras not only by putting too much trust in the company in particular and in cloud services in general, but in many cases by collecting video that was inappropriate in the first place. Verkada centralized management of video as a must-have security feature, but this hack dramatizes the downsides of such centralization. Instead of providing security to its customers and the people captured by their cameras, that centralization provided invasion and insecurity.
