Hackers have broken into Verkada, a popular surveillance and facial recognition camera company, and managed to access live feeds of thousands of cameras across the world, as well as siphon a Verkada customer list. The breach shows the astonishing reach of facial recognition-enabled cameras in ordinary workplaces, bars, parking lots, schools, stores, and more.
The spreadsheet, provided by one of the hackers to Motherboard, shows more than 24,000 unique entries in the “organization name” column. Verkada’s cameras are capable of identifying particular people across time by detecting their faces, and are also capable of filtering individuals by their gender, the color of their clothes, and other attributes.
Videos by VICE
“It’s so abysmal,” Tillie Kottman, one of the hackers claiming responsibility, told Motherboard in an online chat, referring to the ease of access to the cameras once they discovered a username and password online. Bloomberg first reported the news of the breach on Tuesday, and reported that the hackers had managed to access live video feeds from companies such as Tesla and Cloudflare, as well as jails and hospitals.
The staggering list includes K-12 schools, seemingly private residences marked as “condos,” shopping malls, credit unions, multiple universities across America and Canada, pharmaceutical companies, marketing agencies, pubs and bars, breweries, a Salvation Army center, churches, the Professional Golfers Association, museums, a newspaper’s office, airports, and more.
Do you know anything else about the Verkada breach, or any other surveillance company? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.
From the spreadsheet itself, it is not clear which specific customers are deploying Verkada’s facial recognition capabilities. But those features appear to be basic functions of the camera, and not add-ons. Verkada’s website advertises that “all” of its cameras include “Smart Edge-Based Analytics,” referring to the cameras’ facial recognition, person identification, and vehicle analysis tools. It adds the cameras can detect “meaningful events,” which can mean unusual activity and “unusual motion” as determined by the camera’s AI. After detecting faces, a companion web app allows the camera’s administrator to search over time for footage that includes that specific person.
Kottman dubbed the group responsible for the hack “APT-69420 Arson Cats,” in the online chat with Motherboard.
In October, Motherboard reported on how Verkada employees abused their own surveillance cameras installed in the company office to harass coworkers, including joking about women colleagues identified by the cameras and making sexually explicit jokes about them. Initially, the company did not fire the respective employees. In the wake of that article, Verkada’s CEO and co-founder Filip Kaliszan said the company had changed its decision and terminated the employees.
In recent months, Verkada has advertised its cameras as a useful tool for offices who are returning to work during the COVID-19 pandemic, arguing that its cameras can be used to detect when rooms are over a certain capacity, can be used to restrict access to meeting rooms, and can be used for contact tracing.
A Verkada spokesperson told Motherboard in an email that “We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”
Update: This piece has been updated to include a statement from Verkada.
Subscribe to our cybersecurity podcast CYBER, here.