15 Mar Surveillance Insecurity
A white hat is a hacker with heart, Wiki gives a conservative definition here but a description with firework flair was recently documented in a Bloomberg piece quoting self-aggrandising hacker, Tillie Kottmann, “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.” That really turns the hacker ‘stealing data and cash’ trope on its head.
This recent view of ethical hacking came off the back of a hack that broke into some 150,000 surveillance cameras owned by Verkada, a security surveillance startup company in Silicon Valley. They have an international presence as was discovered when the story broke in Australia on the ABC website. Tillie Kottmann leaked the story to the media to raise awareness of the inherent security vulnerabilities attached to AI, cloud based, surveillance software.
The surveillance cameras that Verkada are supplying for installation in all sorts of public and private businesses that include gyms, hospitals, schools, aged care facilities, women’s health clinics and early learning centres, have the potential for facial recognition. The pervasiveness of facial recognition software to gather private data of unsuspecting individuals is one thing, however, the fact that this technology that contains potentially sensitive data is so easily compromised raises some serious issues about security surveillance and privacy.
Hackers say they accessed the network via an exposed administrator email and password easily available from the Darknet. This is a classic case of a fast growing startup that didn’t understand the importance and privacy of the data they were collecting and introduce highest level security before it scaled into a billion dollar company. This takes us back to Zoom in early Covid-19 times, security as a retrofit.
Why didn’t Verkada engage ethical hackers/IT security providers to provide them with the assurity that their systems would protect not only their own clients but also their client’s clients? Organisations have a legal obligation under state legislation in relation to surveillance but actually the recommendation for the public sector is to seriously consider individual privacy prior to the implementation of surveillance systems, this is an opportunity to mitigate risk. Surely that can be applied to the private sector too.
The hackers responsible accessed live feeds and archived footage of ALL Verkada’s clients. There is a whitepaper available to all on the Verkada website titled, “Cybersecurity for Video Surveillance Systems”. Yeah, that irony is not lost on us here at Faster Networks.
Faster Networks help businesses protect their digital assets. We are a cyber security partner that brings the best software solutions that anticipate and fix digital vulnerabilities. Our areas of expertise includes Vulnerability Management, Security Orchestration Automation and Response (SOAR), Application Security, Infrastructure Security, Distributed Denial of Service (DDoS) Protection and Application Pentesting.