One would like to think that any security company, be it physical or cyber security understood the stakes of having high profile clients enough to at least get this one simple thing right. Especially, given that almost every mass CCTV system attack we hear of has been as the result of this very same issue. Sarb Sembhi, CTO & CISO at Virtually Informed, and regular contributor to IFSEC Global on the subject, commented: “If the attackers are to be believed (and there is no reason not to believe them), then creating a device with default username and password that doesn’t have to be changed on installation is most obviously bad practice. Inadequate protection within surveillance hardware was cited as the third biggest potential vulnerability in surveillance systems, too. In IFSEC Global’s Video Surveillance 2020 Report, 76% of security end-users and consultants said they were either ‘quite’ or ‘very’ worried about the vulnerability of their surveillance systems to cyber-attacks, with almost half citing ‘back doors created by manufacturers for customer support and troubleshooting’ as the main cause of concern. The news will likely raise further concerns over the inherent cyber protection in physical security devices – an issue experts have been highlighting for some time, as they call for growing awareness of potential vulnerabilities and the uptake of converged security solutions to cover both cyber and physical attacks. The breach was described as ‘unsophisticated’, with the hacking group using a ‘super admin’ account to gain access, with the spokesperson from the collective saying they found the administrator username and password on the internet. Graphic from The Video Surveillance Report 2020 The hackers have said they’ve been able to access live feeds and archived video, as well as audio. Many of the cameras utilise video analytics software, including facial recognition and tracking technology. Read the full statement from Verkada, here. Some of these measures are set to include a refocusing of engineers, engaging third-party experts and weekly customer webinars. CEO, Filip Kaliszan, outlined a plan the business has developed to guide its work in the future, as it seeks to “redouble efforts to strengthen the safeguards in products and earn back trust”. The company apologised to customers on Friday 12th March, saying it “fell short of our goals” and was “deeply sorry”. The data breach is said to have been carried out by an international hacker collective, with one of the individuals involved explaining the reasons behind the attack were “lots of curiosity, fighting for freedom of information… and it’s also just too much fun not to do it”.Ī Verkada spokesperson told Bloomberg that the company has “disabled all internal administrator accounts to prevent any unauthorised access”, and that its internal security team “are investigating the scale and scope of the issue, and we have notified law enforcement”. Organisations using the vendor’s cameras said to be affected include Tesla and software provider Cloudfare, while Bloomberg has reported that the hackers also gained access to footage inside psychiatric hospitals and health clinics. Thousands of Verkada cameras have been affected by a breach from a group of hackers, who have reportedly gained access to surveillance systems inside several high profile companies, police departments, hospitals, prisons and schools.
0 Comments
Leave a Reply. |