News Insights: Tesla, Equinox, Cloudflare among victims in hack exposing over 150,000 security cameras

Tesla, Cloudfare, and Equinox are among victims involved in a breach of more than 150,000 security cameras sold by security start-up Verkada.  Hacker Tillie Kottmann of the APT 69420 Arson Cats, claimed credit for the breach via twitter.

News Insights:

Saryu Nayyar, CEO, Gurucul (she/her):

   “The Verdaka breach appears to stem from inadvertently leaving an Admin level password exposed.  If true, it points to a policy failure and a lack of adequate access controls.  While the attackers claim to be up to a bit of mischief rather than disruptive crime, it is still illegal.

    Verdaka will need to review their access policies and their security stack to make sure they have the right defenses in place, including security analytics, to make sure another breach like this doesn’t happen in the future.”

Bryson Bort, CEO, SCYTHE:

   “This happened because of an insider threat. Employees at Verdaka had Super Admin privileges which allowed them access to all cameras— this means they could spy on customer feeds without their knowledge. The Super Admin password was leaked publicly. This is an example of bad security practices and the erosion of trust and privacy with customers. Customers depend on companies to do the right thing with ubiquitous always-on and connected devices because there is no way for them to know what’s really happening.”

Rolf Lindemann, VP of Product at Nok Nok Labs, a founding member of the FIDO Alliance

“The Verkada hack is far from surprising because the use of username/password-based authentication has been on the fast track to obsoletion for quite some time. These methods are not secure, scalable nor convenient – neither for accessing corporate resources nor for accessing IoT devices. Yet, despite constant exploitation, they continue to prevail. The time for change was yesterday, and Verkada only magnified the severity of the situation. While many are focusing on the access that was gained to networks, most importantly, we must acknowledge that this subsequently allowed access to frightening personal information and situations given that surveillance cameras were involved. It is not a new observation that Secure Perimeters are dead. But the rate at which they need to be improved is. To make Zero Trust a reality for employees, customers and IoT devices, convenient and strong authentication is key.”

Garret Grajek, CEO, YouAttest:

     “Though there are advanced state groups attacking our systems as SolarWinds and the Accellion attack surely demonstrate, the Verkada breach does not appear to be one of them.   What enterprises need to understand is we need to start with security 101. That starts with changing ALL default passwords, especially the admin account passwords. A quantified/verified system to manage and change these passwords in recommended as in turning on two-factor authentication when possible. We simply cannot make it this easy for hackers to enter our systems. We must remember – all our systems are being scanned all the time.   Especially if a system has a published vulnerability.”