On Tuesday March 9th, Bloomberg reported that threat actors had breached security camera feeds by Verkada Inc, a Silicon Valley startup, gaining access to almost 150,000 video surveillance cameras inside hospitals, organizations, police departments, prisons and schools. This was an unsophisticated hack, i.e the threat actors found exposed credentials for an administrator’s account on the Internet.
While many security vendors are claiming that they could have detected the breach, note that in this specific case the credentials used were valid administrative credentials that provided access to multiple feeds from multiple customers in the Verkada cloud servers and not customer networks. Additionally, because of Verkada’s architecture, every feed from an organization’s cameras was encrypted and sent directly to the cloud. Therefore, any on-premises security solution would not have detected any anomalies from the cameras as they were simply streaming video to the centralized cloud server.
However, there are several security learnings from this incident:
- Real-time visibility is critical - Video surveillance cameras are pervasive, and just like many IoT devices, are not built with security in mind. Security starts with knowing what’s on your network. Our customers use our inventory dashboard to find devices like Verkada or any other video surveillance cameras in their network.
- Profile risks and behavior- It’s important to not only identify devices, but also understand the risks they bring and map how they communicate. In one Ordr deployment, we found that 60% of an organization’s cameras deployed in hundreds of facilities world-wide were using default passwords that were published on the Internet. And some of these cameras were running “non-production” software, calling home to their R&D center in China periodically. Once you understand risks and baseline normal communications, you can create segmentation policies to enable devices access required for its role while limiting exposure.
- Monitor admins, users and access - Always make sure that admin maintenance accounts are secured properly, and monitor users and access. As outlined in this blog, Ordr provides very robust tracking of users using AD/RADIUS and wireless integration, so you can monitor which user is accessing what devices at what time. We also monitor supervisory protocols SSH, Telnet, RDP, and can monitor access by corporate versus guest users.
Organizations must look at the rapid growth of connected devices (ie. digital transformation) as an opportunity to start maintaining a continuous and accurate inventory, a true understanding of how those devices communicate, automate alerts based on any device or group of devices that act outside of a set baseline, and automate proper segmentation of devices as to not let lateral movement inside your network via the device(s).