(Noted News) — A hacking group has gained access to thousands of security cameras by circumventing California-based security software company, Verkada, compromising big companies and institutions like Tesla Inc, Cloudflare Inc, multiple prisons, and a collection of healthcare facilities, including women’s health clinics and psychiatric hospitals.
According to Bloomberg, the hackers released a video which appeared to depict 8 hospital workers from Halifax Health in Florida tackling a man and forcing him onto a gurney. Many of the camera systems in Verkada’s database incorporate facial recognition technology, which means the identities of those captured in the footage are now compromised.
A spokesperson for the hacking group named Tillie Kottman, who goes by “they/them” pronouns, said the attack was done to draw attention to the vulnerability of digital, centralized security systems, and the ways in which they violate privacy.
Kottman, a Swiss-based hacker who has done multiple public hacks in the past, said they were driven by, “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism—and it’s also just too much fun not to do it.”
Kottman’s Twitter has since been taken down, but their website remains up. In February, they hacked into a “girls only” phrenology app that recently sparked controversy because of its verification process which requires users to take a selfie which then gets analyzed by a biometric algorithm, causing difficulties for transgender women.
Kottman said that the hack on Verkada “exposes just how broadly we’re being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit. It’s just wild how I can just see the things we always knew are happening, but we never got to see.”
The Swiss hacker said the breach was more or less simple. Kottman and their collective gained “Super Admin” level access to Verkada’s system using a username and password combo that was somehow publicly available on the internet. After gaining access, all of the security firm’s data was exposed, along with the whole network of cameras belonging to their clients.
Cloudflare released a statement, claiming that no private customer data had been compromised.
“This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised. The cameras were located in offices that have been officially closed for nearly a year. As soon as we became aware of the compromise, we disabled the cameras and disconnected them from office networks. To be clear, no customer data or processes have been impacted by this incident.”
Verkada also made a brief statement, mentioning that law enforcement had gotten involved.
“We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”
One of the jails that were compromised, Arizona Graham County Detention Facility, was revealed to have been saving surveillance videos in ways that degraded the inmates. One video was titled “ROUNDHOUSE KICK OOPSIE.” Another was called “SELLERS SNIFFING/KISSING WILLARD???” Another video, filmed in the drunk tank, was saved as “AUTUMN BUMPS HIS OWN HEAD.” A video filmed in the “Back Cell” was titled “STARE OFF- DON’T BLINK,” and another was called “LANCASTER LOSES BLANKET.”
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, was briefed on the situation by Bloomberg.
“If you are a company who has purchased this network of cameras and you are putting them in sensitive places, you may not have the expectation that in addition to being watched by your security team that there is some admin at the camera company who is also watching,” she said.
Tesla has so far not responded, but videos of their factories in China remain available online.
Kottman also claimed credit for a breach of Intel Corp in August of 2020.