UPDATE March 10: Verkada has a new Security Update with more technical details: The link to the Security Update has just 3 paragraphs, a subset of what is in this email. Suspending all internal admin accounts, one of which was allegedly used to gain access The most notable element disclosed was about an internal admin account being used:
UPDATE: Verkada has sent an email to customers: Verkada Spiffs Security Integrator Salespeople.Man Convicted for $11 Million Fraud Touts Verkada Partnership.Verkada SV11 Environmental Sensor Tested.This might present an opportunity for Verkada to focus more on engineering, though ambitious sales targets may suffer. Verkada has prioritized sales expansion over growing the engineering team, with 150% more salespeople than engineers and almost half the entire company in sales, per LinkedIn: While Verkada will likely emphasize that they fixed it, it will at least present significant headwinds to the company that has been hiring at an unprecedented rate, e.g. Worse, they then have internal access to those networks, risking further attacks. In this case, it was Tesla, 30 Fortune 500 companies, hundreds of government entities, etc. The disadvantage is that when a hacker hacks a cloud-managed video surveillance provider, they get access to all the customers immediately.
With non-cloud systems (recall the 2017 mass Dahua hacking), the manufacturer has to push firmware to each user and hope they upgrade over weeks or months (or never). On the advantageous side, Verkada was able to immediately block access to this specific hack across all cameras (until the next vulnerability is discovered, etc.). Ĭloud-managed video surveillance presents advantages and disadvantages for hacking.
Kottmann says they found a user name and password for an administrator account publicly exposed on the internet. The hackers’ methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. Particularly alarming, per Bloomberg, was that: It's like 15% of every IoT hack is done through your camera system today.Īfter today, Verkada will be certainly less well known as 'the cybersecurity company.' This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.īut when people list us and when they talk about us, they refer to us as the cybersecurity company.
Moreover, Verkada has attacked NVR and IP camera cybersecurity, e.g., this sales recruiting presentation: Moreover, many Verkada customers pre-pay their annual subscriptions years in advance, and such payments are non-refundable and non-transferrable, so switching would incur further losses.īeyond the obvious risk to Verkada's customers, this is awkward for Verkada considering Verkada has attacked and demeaned its competitor's cybersecurity, e.g. On the positive side for Verkada, Verkada locks in its customers so it is not possible for Verkada customers to switch or to disconnect them from Verkada's servers without throwing Verkada cameras away. Worse, the hacker told Bloomberg they were "able to obtain 'root' access on the cameras" including "to pivot and obtain access to the broader corporate network of Verkada’s customers."
Verkada has suffered a massive hack, according to Bloomberg, of all ~150,000 of the company's cameras.