Breach of 150,000 Surveillance Cameras Sparks Credential Concerns
Is your security secure? With more and more security devices being connected to networks, they are also exposed to network-based attacks and hacks.
In the latest iteration, up to 150,000 security cameras installed in schools, hospitals, factories, and businesses were compromised, giving outsiders access to video from Tesla factories, prisons, psychiatric hospitals, and more.
Hackers claim to have breached surveillance company Verkada, which issued a statement that is it investigating the scale and scope of the incident, and that it has notified law enforcement. Allegedly, the attack was unsophisticated, using a privileged administrator account to gain access to the system, the BBC reported. A Verkada spokesperson responded that all internal administrator accounts have been disabled during the investigation to prevent further unauthorized access.
EXCLUSIVE: Hackers broke into thousands of security cameras, accessing live footage from inside hospitals, prisons, and even a Tesla factory https://t.co/5FevexR5hK— Bloomberg (@business) March 9, 2021
According to Bloomberg, which broke the news of the breach yesterday, some of the cameras used facial recognition technology and analytics to identify and categorize people in video footage. The hackers also claimed to have had access to the full video archive of all Verkada customers—including live feeds, archived video, and audio.
One of the alleged hackers, Tillie Kottmann, told Bloomberg that the international hacker collective had intended to show the pervasiveness of video surveillance and ease with which it could be compromised—especially when devices are connected as part of the Internet of Things (IoT). Kottmann said that the collective gained access to the system on Monday morning, and has since lost access to the system.
“With IoT systems we now have a new dimension to cybersecurity,” says Coleman Wolf, CPP, CISSP, senior security consultant for Environmental Systems Design, Inc., and a member of the ASIS International IT Security Community. “Whereas we used to be concerned with confidentiality integrity and availability of data, now we have the added concern of safety. The systems now have the ability to monitor and control physical world actions, and people need to understand the potential risks of this.”
In addition, he says, “people need to perceive IoT devices as computers that can be hacked when put online rather than as mere appliances.”
But security professionals remain behind the curve when it comes to cybersecurity. According to the Genetec State of Physical Security 2020 report, released in December 2020, only 31 percent of security professionals were focusing on cybersecurity or cyber hardening projects, and 29 percent were evaluating cybersecurity tools to improve physical security environments.
“With cyber concerns as a result of the pandemic on the rise, and most physical security deployments remain on-premises, it is important that the physical security industry prioritize cyber hardening practices to get ahead of this major risk,” the report said.
Genetec CSO and VP of Cloud Solutions Christian Morin commented on the Verkada breach, explaining that “as an industry, and as manufacturers in physical security, we cannot take these hacks lightly. The potential broad-reaching impact of these hacks on physical security systems, including providing a beachhead to facilitate lateral movement onto networks, resulting in data and privacy breaches or access to critical assets and infrastructure, cannot be understated. It is our responsibility and duty to users of our technology to prioritize data privacy and cybersecurity in the development, distribution, and deployment of video surveillance systems.”
He adds, “Given the nature of the technology used to implement physical security systems today, and the fact that these systems are more connected now than ever to achieve various business goals, it’s imperative for physical security professionals to partner with IT/InfoSec experts.”
These partnerships enable security professionals to better evaluate physical security systems’ cyber risk and assess manufacturers’ and integrators’ ability and willingness to follow best practices.
Attackers simply want access to the network, and an access control system is as good an entry point as any other, experts said when we asked them about assessing cyber risks to access control systems. https://t.co/V3genQFijd— Security Management (@SecMgmtMag) March 3, 2020
Elisa Costante, vice president of research at IoT risk mitigation company Forescout, said that connected cameras are meant to provide an additional layer of security to the organizations that install them.
"Yet, as the shocking Verkada security camera breach has shown, the exact opposite is often true," she said in commentary shared with Security Management. "Worryingly, the attack wasn’t even very sophisticated and didn’t involve exploiting a known or unknown vulnerability. The bad actors simply used valid credentials to access the data stored on a cloud server.
"In this case, the bad actors have seemingly only resorted to viewing the footage these cameras have captured,” she added. “But they are likely able to cause a lot more damage if they choose to do so, as our own research team has discovered. We were able to intercept, record, and replace real-time footage from smart cameras by exploiting unencrypted video streaming protocols and performing a man-in-the-middle attack. This effectively gives criminals a virtual invisibility cloak to physically access premises and wreak havoc in the real world.”
Costante recommended organizations ensure that they have a comprehensive device visibility and control platform in place, which could help them adequately assess their risk and monitor for vulnerable devices or unauthorized access.
But managing credentials, especially when third parties are involved, can be challenging. Daniel dos Santos, research manager at Forescout, tells Security Management that “the credential management part is very difficult. If there are known, hard-coded, default, or weak credentials on the device, they can be detected if they traverse the network in cleartext or by testing the devices directly.”
Another video, shot inside a Tesla warehouse in Shanghai, shows workers on an assembly line. The hackers said they obtained access to 222 cameras in Tesla factories and warehouses. https://t.co/CsG0VhtY3U— William Turton (@WilliamTurton) March 9, 2021
An IoT posture assessment engine example from Forescout can be reviewed here.
“If found to be vulnerable, then the organization can act to assess and mitigate risk by changing those credentials,” he says. “Alternatively, if the credentials are shared for access with a system provider, the organization can, and should, monitor and even enforce that their devices have incoming/outgoing connections only to trusted IP addresses or domains associated to that provider.”
To monitor for credential leaks or breaches, Morin recommends looking for various indicators of compromise (IOCs) within the security operations center.
“For example, if leaked credentials are used to login to one of your system chances are, they will be used by someone that is located in another country which would trigger an impossible travel event,” he tells Security Management. “There are also services/firms that specialize in providing information as it pertains to breaches that could impact an organization by scouring the dark web, often referred to as post-breach detection. This would alert an organization that sensitive information/credentials are available in the wild and ready to be exploited.”
Compromised credentials are one of the most prevalent ways threat actors gain access organizations' networks. These credentials are often obtained via phishing attempts sent to targets' email inboxes, Morin adds.
"Fortunately, this is also one of the easiest types of attacks to protect against and in some cases eliminate altogether," he says. "However, many organizations continue to fail to implement some of the simple controls that can really help.
“In the end, it is important to remember that there is no silver bullet or single control that solves everything,” he continues. “Multiple controls are actually needed to improve your posture, and this is often referred to as defense in depth.”
Some key controls that Morin says could help organizations fight credential compromise are:
- Implement multifactor authentication on accounts. This prevents threat actors from login in using solely the username and password combo that could be harvested through phishing or previous breaches.
- Segregation of duty by ensuring that privileged accounts are few, tightly controlled, and only used for their intended purposes.
- Employ the principle of least privilege, which allows to limit the scope of the damages in the event of a breach.
- Monitor IOCs, such as such as impossible travel (logging in from two locations on opposite sides of the world at once, for example). This would allow to detect these breaches much more rapidly.
Organizations can also mitigate risk by conducting thorough vendor risk assessments before buying in.
“As part of this assessment it’s important for organizations to ask the right questions of their vendors and make a risk decision based on the nature of the information that this vendor will be processing/handling,” Morin says. “In the case of video surveillance or access control systems, the impact could be very high for many organizations. It’s important to ensure that any vendor meets or exceeds your own organization’s security controls and make the call on whether the risk is acceptable or not when they do not.”
Security professionals can ask:
- Does the vendor employ multifactor authentication (MFA)?
- Does the vendor perform regular penetration tests?
- Was the vendor victim of any breach?
- Does the vendor have a secure software development process?
In addition to asking questions, security leaders should ask for proof to support the vendor’s answers. Asking for a third-party certification—such as ISO27001, Morin says—will further assure that cybersecurity controls are properly implemented.
Last but not least, organizations should request audit rights, “so that you can see for yourself at any point that your data is handled appropriately,” he adds.
“What is very important to understand is that cybersecurity is a shared responsibility,” Morin says. “All parties involved in the system development, implementation, and operation have a critical role to play. It is important that manufacturers, integrators, and end users embrace this fact and work together to address this risk.”