Hackers Take Over Security Cameras Around The World

By Christopher Dobrec, Vice President, Product Marketing

These unmanaged and IoT devices have little or no security, exposing risk to any organization and their customers especially when confidential data is obtained.

Sadly, we saw another attack on security cameras today. According to reports, hackers breached the security-camera data collected by Silicon Valley startup Verkada Inc. They were able to gain access to feeds from Verkada customers which at present is 150,000 surveillance cameras across industries including hospitals, companies, police departments, prisons, and schools.

Security cameras are the oxymoron of the 21st century - built to provide security through video, but have none themselves. They are emblematic of the explosion of new connected devices seen across all businesses. While we know that this breach occurred via admin level access to Verkada’s systems, we have also observed that unmanaged devices such as security cameras are increasingly being targeted as a means to enter an environment, move laterally across an organization and even amass botnet armies.

These unmanaged and IoT devices have little or no security, and can be compromised by bad actors and expose risk to any organization and their customers, especially when confidential data is obtained. While these devices help improve efficiency and reliability, they lack the management and security needed to keep them secure. It also sheds light on the continuous need to rotate passwords, prohibit the use of a universal password, as well as manage device certificates. In fact, Bloomberg reported that one of the hackers identified as Tillie Kottmann said they were able to obtain “root” access on the cameras, meaning they could use the cameras to execute their own code.

Further, the reporting says “the hackers' methods were unsophisticated: they gained access to Verkada through a ‘Super Admin’ account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet.”

The irony of a device built for security exploited by an accessible user name and password is not lost on me. We have an explosion of connected devices that has dramatically increased the threat landscape and risk management challenges of organizations globally. There is no EDR solution or agent to put on these unmanaged devices.

In order to ensure the security of these devices, we designed Armis specifically to identify security gaps and device vulnerabilities, detect threats and anomalous behavior, and automate policy enforcement associated with these devices and more. Furthermore, we partner with other providers to address the management and necessary firmware updates that are a significant challenge for security professionals with these devices.

To address security cameras and other such unmanaged and IoT devices, Armis partnered with Viakoo. Together, we can provide the best visibility of all devices and track behavior that may be suspicious or malicious. In this instance, if a security camera is behaving incorrectly, Armis can tell Viakoo, which can remediate risks on devices such as security cameras automatically. This helps ensure they are operational, secured, and working as expected. With input from Armis, Viakoo can take actions, including triggering firmware updates, forcing password rotations, refreshing certificates, and more. Together, Armis and Viakoo help organizations realize the full value these devices offer while ensuring they are safe and secure. Devices that Viakoo can’t remediate continue to be monitored by Armis for suspicious or malicious behavior and quarantined as needed.

If you are looking to secure your security cameras and more, as well as manage and update those devices, check out the upcoming webinar with Armis and Viakoo.

Have our blog posts sent to your inbox.