Silicon Valley startup Verkada Inc, a closed-circuit TV and camera management platform, was hacked by a group of hackers, revealing thousands of hours of footage from over 150,000 surveillance cameras, Bloomberg reported. Some of the company’s clients, which includes hospitals, companies, police departments, prisons and schools, were using a facial-recognition tool to track and monitor their employee’s behaviour among other things.
Verkada provided its services to companies like Tesla, Cloudfare, Halifax Health and Madison County Jail in Alabama, all of whose camera feeds were compromised as part of the hack. The hackers claim to have access to the entire video archive belonging to all of Verkada’s clients. They said that the intention of the hack was to see how pervasive video surveillance is and the ease with which these systems could be compromised. The hackers found that Verkada had implemented a facial-recognition technology, which in the case of hospitals is used to identify and categorise people.
AI tools to monitor and analyse behavior
According to a blogpost by Verkada, one of the tools it offers clients’ is called ‘People Analytics’ through which they clients can “search and filter based on many different attributes, including gender traits, clothing color, and even a person’s face”. The report said that some of the cameras with facial-recognition technology inside the jail, in order to track inmates and correctional staff, were hidden inside vents, thermostats and defibrillators.
While Verkada’s clients may have requested for such technology to be integrated as part of their camera services, some clients may be unaware that in addition to their security teams’ employees of Verkada also had access to the same feeds, the report said. According to Vice, the facial-recognition technology appear to be basic functions of the camera and not add-ons. Verkada, itself, says that all of its cameras include “Smart Edge-Based Analytics” and that as a company they have been building artificial intelligence tools which allows for people detection, bounding boxes and heat maps.
Tillie Kottmann, one of the hackers, who spoke to Bloomberg, said that the hacking group was able to obtain “root” access on the cameras through a “Super Admin” account for which, the user and password was publicly exposed on the internet. They were able to then use this access to pivot and gain access to the broader network of Verkada’s customers. They could hijack cameras and use them as a platform to launch future hacks, Kottman said.
The company has tasked an internal team and an external security firm to investigate the incident, the report said. In a statement to Bloomberg, a Verkada spokesperson said that the company has disabled all internal administrator accounts to prevent any unauthorised access. “Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement,” they said.
List of compromised entities
- Access to 150,000 surveillance cameras
- Halifax Health, a hospital in Florida
- Tempe St. Luke’s Hospital in Arizona
- A police station in Stoughton, Massachusetts
- 222 cameras in Tesla’s warehouse in Shanghai
- Sandy Hook Elementary School in Connecticut
- Women’s health clinics and psychiatric hospitals
- Wadley Regional Medical Center, a hospital in Texas
- 17 cameras inside Graham County detention facility in Arizona
- 330 security cameras inside the Madison County Jail in Alabama
- Cloudflare offices in San Francisco, Austin, London and New York
The entire list of entities that may have been compromised in the hack include:
- K-12 schools
- Private residences marked as “condos”
- Shopping malls
- Credit unions
- Multiple universities across America and Canada
- Pharmaceutical companies
- Marketing agencies
- Pubs, bars and breweries
- A Salvation Army Center
- The Professional Golfers Association
- A newspaper’s office
- Clearview AI’s facial recognition service called an ‘illegal’ ‘mass surveillance’ tool in Canada
- CBSE says its facial recognition tool is a ‘face matching algorithm’: RTI
- New York bans facial recognition tech at schools