Always Watching: Lessons Learned from the Verkada Breach

Tom Badders
March 11, 2021 • 3 min read

Video surveillance is a key security feature for many businesses, government agencies, education campuses, hospitals, law enforcement, and critical infrastructure organizations. This capability provides significant aid and support to these entities to ensure the safety and security of people as well as assets in those organizations.

A recent breach, however, has demonstrated the potential cybersecurity vulnerabilities in these types of video surveillance systems.

Hackers are not bashful about how they did it and what they found. A member of the group allegedly behind this breach went into great detail describing the video surveillance networks they hacked and what they saw and captured.

In addition to capturing the video streams and biometric identity of people, the hackers also gained “root” access to the devices, which allowed them access to the administrative privileges of the surveillance system. They were able to manipulate the cameras, obtain access to the broader networks and hijack the cameras to use them as a platform to launch further attacks.

Whether it was just a brag, or not, the hackers stated the simplicity of the attack. In fact, they said, “it was fun.”

Alarmingly, video surveillance breaches aren’t at all random; the bad actors have picked up on the vulnerability of these systems. A recent Twitter thread even divulged how to hack into a particular make of camera system in a methodical, step-by-step process.

Organizations, regardless of size or industry, need to be aware that every new device they add to their network could potentially be a new attack vector for cyber criminals. In this case, video surveillance systems have many attack vectors, including the camera itself, the web-based management platform, and the cloud-based or on-premises image stream repository.

Now that the hacking of a prominent IoT device such as a video surveillance camera has been so publically exposed, what’s next? IoT technology has connected all sorts of critical assets such as medical devices, energy systems, oil and gas analytics systems, heating and cooling systems, home-based security systems, and many more. The stakes are only going to get higher.

Protection from cyber adversaries is a full time job for CISOs, CIOs and IT personnel, and it becomes increasingly complicated as new technologies are added to their networks. New cybersecurity solutions must be constantly developed and evolve as the sophistication of attacks increases. Technologies such as network obfuscation, managed attribution, cloaking, and privatizing the public internet need to continually be assessed by CISOs for use in the protection of their networks, people and critical assets.

Enhancing a networks cybersecurity using virtual network obfuscation capabilities will ensure that web-based activity cannot be traced back to the user, their device, or their organization. It can hide network resources, such as a video camera, a web-based administrative console, or cloud or on-premises repositories. Cloaking them so that cyber adversaries cannot even see that they exist. In the case of video surveillance, video images and streams can be stored in a cloaked (or hidden) repository inside the obfuscation network.

The recently announced partnership between Telos and Johnson Controls is a major step in combatting these types of attacks. JCI is a worldwide leader in Cyber Smart Buildings, and Telos is a leader in cybersecurity. Together, the integration of Telos’ network obfuscation technologies with JCI video management system will be a step forward in the elimination of the types of attack surfaces used to perform these video surveillance hacks. 

Tom Badders
Senior Product Manager
Tom Badders is a Senior Product Manager at Telos Corporation.
Read full bio