Skip to main content

Ordr Response to Verkada Breach

On Tuesday March 9th, Bloomberg reported that threat actors had breached security camera feeds by Verkada Inc, a Silicon Valley startup, gaining access to almost 150,000 video surveillance cameras inside hospitals, organizations, police departments, prisons and schools. This was an unsophisticated hack, i.e the threat actors found exposed credentials for an administrator’s account on the Internet.  

While many security vendors are claiming that they could have detected the breach, note that in this specific case the credentials used were valid administrative credentials that provided access to multiple feeds from multiple customers in the Verkada cloud servers and not customer networks. Additionally, because of Verkada’s architecture, every feed from an organization’s cameras was encrypted and sent directly to the cloud. Therefore, any on-premises security solution would not have detected any anomalies from the cameras as they were simply streaming video to the centralized cloud server.  

However, there are several security learnings from this incident:   

  • Real-time visibility is critical - Video surveillance cameras are pervasive, and just like many IoT devices, are not built with security in mind. Security starts with knowing what’s on your network. Our customers use our inventory dashboard to find devices like Verkada or any other video surveillance cameras in their network. 

  • Profile risks and behavior- It’s important to not only identify devices, but also understand the risks they bring and map how they communicate. In one Ordr deployment, we found that 60% of an organization’s cameras deployed in hundreds of facilities world-wide were using default passwords that were published on the Internet. And some of these cameras were running “non-production” software, calling home to their R&D center in China periodically. Once you understand risks and baseline normal communications, you can create segmentation policies to enable devices access required for its role while limiting exposure. 
  • Monitor admins, users and access - Always make sure that admin maintenance accounts are secured properly, and monitor users and access. As outlined in this blog, Ordr provides very robust tracking of users using AD/RADIUS and wireless integration, so you can monitor which user is accessing what devices at what time. We also monitor supervisory protocols SSH, Telnet, RDP, and can monitor access by corporate versus guest users. 

Organizations must look at the rapid growth of connected devices (ie. digital transformation) as an opportunity to start maintaining a continuous and accurate inventory, a true understanding of how those devices communicate, automate alerts based on any device or group of devices that act outside of a set baseline, and automate proper segmentation of devices as to not let lateral movement inside your network via the device(s). 

  

 

 

About the Author

Jeff Horne is currently the CSO at Ordr where he is responsible for security direction both within Ordr products and internal security. Prior to Ordr Jeff was the VP of Information Security for Optiv where he was responsible for all Security Operations, Governance Risk and Compliance, Endpoint, Internal Incident Response, Physical Security, and Employee Security Awareness groups. Before Optiv Jeff was the Senior Director of Information Security for SpaceX where he was responsible for the overall security strategy of SpaceX and managing the Information Security, Compliance (ITAR), Security Operations, and Physical Security groups. Previous to SpaceX Jeff was the Vice President of R&D and Chief Architect for Accuvant LABS where he managed teams of researchers and consultants specializing in reverse engineering, malicious code, incident response, breach analysis, and vulnerability assessment. Prior to Accuvant Jeff was the Director of Threat Research at Webroot Software where he led several teams of malware researchers, reverse engineers, and a development organization specializing in creating anti-malware functionality and detection signatures for all Webroot products. Jeff began his career as a Vulnerability Researcher at Internet Security Systems where he was responsible for vulnerability discovery, exploit creation, IDS evasion research, and behavioral detection of malware. Jeff is well known for his insight in interviews for numerous news channels and publications, speaking roles at various security conferences, as well as authoring several vulnerability disclosures and patents.

Profile Photo of Jeff Horne