A group of hackers attacked 150000 cameras.
The victims include Tesla, hospitals, schools, police stations around the world, and the company that provided the cameras itself.
The exposed images include Tesla's warehouse in Shanghai. The hacker group claims that they have access to 222 cameras from Tesla's factories and warehouses all over the world.
Hackers also saw from these cameras:
Eight hospital staff fixed one patient on the bed;
The police are interrogating the prisoners in handcuffs;
Prison cameras are hidden in vents and thermostats;
The cameras are provided by verkada, a Silicon Valley start-up that received $80 million in investment in January 2020, with a valuation of $1.6 billion.
According to the latest information of the news agency, even the staff of verkada directly control the password of the administrator who peeps at users.
Black in method
What kind of network monitoring technology is needed for such a large scale?
The truth makes people laugh and cry.
According to apt-69420, an international hacker group, they only found the user name and password stored publicly on the verkada server.
Verkada wrote the password in the python script of the plug-in used by Jenkins.
After logging into the web application for maintenance, you will have super administrator rights, and you don't need any advanced hacker knowledge.
Just click the mouse to access any customer's camera, and even execute your own code on the camera.
In addition to real-time monitoring images, hackers can also obtain all video archives, some of which contain audio, all of which have 4K high-definition resolution.
The hackers also found verkada's global customer profile and financial statements. And claims to have broken into cloudflare and Tesla's internal networks through maintenance backdoors.
The head of verkada said that measures have been taken to disable all internal administrator accounts to prevent any unauthorized access. The company's internal security team and external security companies are investigating the scale and scope of the incident.
After that, the hacker has lost all access rights.
Other companies and organizations affected declined to comment.
Verkada's camera products are compulsorily bound to their cloud services. If the client cuts off the network connection between the camera and the server, it cannot continue to use.
Moreover, many enterprise customers have paid service fees for many years in advance, and verkada will not provide a refund according to the contract.
The company's internal chaos is frequent
Verkada's super administrator authority is usually used to debug products and solve customers' after-sales problems.
When an employee applies to visit a customer's camera, he / she needs to submit the reason for doing so, which is recorded in the log by the system.
But these logs were not checked at all, and the hackers carried out various operations in two days without being found.
According to the hackers, there are many employees in the system whose accounts have the right to view any camera of all customers.
Verkada's former employees also confirmed this claim, with more than 100 employees, even interns, having such rights.
In addition to the imperfect security agreement, there are also problems in the management of the company.
In 19 years, the sales director used the facial recognition technology of the office camera to secretly take photos of female employees, send them to the company's slack channel and sexually harass them.
After that, verkada's punishment for the employees involved only allowed them to choose to be dismissed or to reduce their options. All of them choose to stay in the company and reduce their options.
Do we really need cloud monitoring?
Verkada stores all monitoring data in the cloud. In addition to basic monitoring, verkada also provides personnel search services.
People in the camera can be filtered according to gender, clothing color and facial recognition.
This gives the cloud monitoring system a powerful and easy-to-use function, once it is invaded, it can also cause more harm.
The hacker's suggestions are as follows:
I don't like any form of monitoring, but if you have to install monitoring, please don't use the centralized cloud platform of venture capital funded start-ups. These companies sell more than their customers and don't care about anything except profits.
In fact, this is not the first time the cloud monitoring system has gone wrong.
In 2017, the 360 water drop camera caused controversy because it broadcast the video captured by the public surveillance on its own platform without authorization, and finally the live broadcast platform was closed.
In January last year, all of Xiaomi's smart home products were banned by Google due to privacy leakage.
Microscopically, should cameras be connected to the cloud?
From a macro perspective, is convenience, security or privacy important?
These are the problems that need to be solved in our time.
Where are hackers?
Tillie kottmann, a Swiss developer, was the main person in charge of the incident, claiming to be a woman.
She invaded Intel last August and leaked 20GB of classified documents.
Earlier, she also extracted a large number of source code and confidential information from the networks of Microsoft, Nintendo, Disney, Motorola and other companies through the low security Devops application.
Nintendo's source code and development library leaked, which is called Nintendo gigaleak event because of its large scale.
At present, kottmann's Twitter account for publishing leaked information has been banned.
According to the latest news, the Swiss authorities raided kottmann's residence and confiscated her equipment.