The Seattle Times
In one video, a woman in a hospital room watches over someone sleeping in an intensive-care bed. In another, a man and three children celebrate one Sunday afternoon over a completed puzzle in a carpeted playroom.
The private moments would have, in some other time, been constrained to memory. But something else had been watching: an internet-connected camera managed by the security startup Verkada, which sells cameras and software that customers can use to watch live video from anywhere across the web.
With a single breach, those scenes — and glimpses from more than 149,000 security cameras — were suddenly revealed to hackers, who had used high-level login credentials to access and plunder Verkada’s vast camera network.
A hacker shared some of the materials with The Washington Post to spotlight the security threat of widespread surveillance technologies that subject the public to near-constant watch.
The cache includes real-world images and videos as well as the company’s voluminous client list, which names more than 24,000 organizations across a vast cross-section of American life, including schools, offices, gyms, banks, health clinics and county jails.
The breach, first reported by Bloomberg, highlighted a central vulnerability undermining the modern web: As more companies race to amass vast stores of sensitive data, they are also becoming more fruitful targets for attack and making it that much easier for thousands of unaware people suddenly to be exposed.
But it also revealed a sweeping change to the way America now watches itself: through the increasingly ubiquitous eyes of cheap, internet-connected cameras, capturing our lives in ways many people may not realize — and etching them onto a web that never forgets.
“This breach should be a wake-up call to the dangers of self-surveillance,” said Andrew Ferguson, a law professor at American University Washington College of Law. “We are building networks of surveillance we cannot escape from without really thinking about the consequences. Our desire for some fake sense of security is its own security threat.”
A Verkada spokesperson said its system is now secure and that the company has blocked unauthorized access by disabling all internal administrator accounts. The company, which has advertised that its camera networks are “secure from the ground up,” has notified law enforcement, and its internal security team and a third-party security firm are investigating the scale and scope of the breach.
Tillie Kottmann, a Switzerland-based member of the “hacktivist” collective Advanced Persistent Threat 69420, said the loosely organized team of fewer than 10 people stumbled on login details for a Verkada “Super Admin” account that had been publicly exposed on the web.
“We generally do not do targeted work. We all have ADHD and not a lot of patience,” Kottmann said. (The collective’s name combines the cybersecurity term for specialized hacking squads with two jokey meme numbers related to sex and marijuana.)
Once inside Verkada’s network, Kottmann said, team members were stunned by how much real-time video they could watch — and how many internal features they could access. The company’s centralized software made it easy for them to access a vast network of sensitive surveillance cameras with only a few clicks.
The hackers gained access on Monday and were able to view real-time footage and watch the full collection of customers’ saved videos, Kottmann said. The company was alerted by Bloomberg and closed the breach the following day.
“It still feels incredibly surreal the amount of foothold I was able to gain from this,” Kottmann said. “That’s the irony of this whole thing: All the cool features they provide for security are exactly why everything broke.”
Founded in 2016, Verkada sells everything a school, workplace or company would need to start monitoring their real-world space, from indoor and outdoor cameras to door access controls and sensors for temperature, motion and noise.
The Silicon Valley company’s hardware connects to the internet via Verkada’s cloud service, allowing customers to not just watch and store real-time video from anywhere, but also to use the company’s artificial-intelligence features to track people as they move about the real world.
Verkada’s “People Analytics” software lets customers automatically search for a person across the building or campus — by the look of their face, the color of their clothes, whether they’re wearing a backpack, or their “apparent sex” — then track that person’s movement from room to room.
Verkada high-resolution cameras start at $599, and cloud licenses start at $199 a year. The company also sells a dedicated $1,999 “viewing station” that can stream up to 36 cameras at one time.
Verkada and its competitors advertise that their centralized surveillance devices can supercharge public security and keep people safe by detecting dangers or deterring crime before it can even occur.
This business of “video analytics” systems is growing rapidly: Companies like Avigilon have sold camera software with features for “unusual motion detection” and “appearance search” to a number of businesses and public organizations nationwide, including school districts scarred by mass shootings.
“The opportunity to be the operating system for all buildings in the world?” Aydin Senkut, the founder of Verkada investor Felicis Ventures, told TechCrunch last year. “Sounds like that market couldn’t be better.”
But the Verkada customer list provided to The Post also shows how staggering a single breach can be. The list includes churches, volunteer fire departments, hotels, sports bars, rehabilitation centers and children’s foster-care homes, as well as major tech companies like Cloudflare.
Some clips show the deserted corridors of the pandemic era: a corporate office of abandoned cubicles stretching to the horizon; an empty classroom with an American flag. A Cloudflare spokesperson said the Verkada cameras monitored the main entry points and thoroughfares of company offices that have been closed since last year, and that they were disconnected as soon as the company learned of the breach.
But many others show people simply going about their lives: Workers on the floor of a manufacturing plant; people sitting in a hospital waiting room; a security guard alone on the graveyard shift.
Liz O’Sullivan, technology director for the Surveillance Technology Oversight Project, a nonprofit advocacy group, said tech companies’ mass gathering of personal video and other data has left them under constant siege by hackers, who probe networks and use automated tools to test for vulnerabilities.
Some do it for fun while others seek to hijack systems, blackmail targets or win a lucrative ransom. And the rush to install more internet-connected devices around our homes and workplaces — the “Internet of Things” — is also fueling a wave of unprotected devices that risk privacy. She noted how some websites, like Insecam, allow anyone to watch thousands of public and unsecured web cameras from around the world (and are even grouped by category, including “House,” “Kitchen” and “Pool”).
“This is the hypocrisy of the surveillance network: Anything you create under the guise of making more safety is a tool that can be turned against you,” she said.
“The more we centralize power into the hands of a few tech companies, the more at risk we are of things like this,” she said. And “for every one of these you hear about, there are 10 others you don’t.”
The hack has also raised questions about how much Verkada employees were able to see from its customers’ cameras. Charles Rollet, of the surveillance research group IPVM, said Wednesday that a person with close knowledge of the company, whom Rollet declined to name, claimed that Verkada employees could access customers’ camera footage at any time without the customers’ knowledge.
“Verkada had sold their system as particularly advanced in terms of privacy and security, which is ironic when you look at what happened,” Rollet said. “People don’t realize what happens on the back end, and they assume that there are always these super-formal processes when it comes to accessing footage, and that the company will always need to give explicit consent. But clearly that’s not always the case.”
Verkada did not respond Wednesday to questions about employee access of customer cameras. But the company last year terminated three employees for what CEO Filip Kaliszan said was “egregious behavior targeting co-workers” following reports that employees had used the company’s internal office cameras to photograph and make sexual jokes about their female colleagues.
Such access has also been an issue at other tech giants, including the doorbell-camera company Ring, which has fired employees for improperly accessing customers’ video data.
Some of the Verkada footage shared with The Post appeared to come from institutional settings where security cameras have long been a fact of life. Cameras in jails looked down over the toilets and benches of cramped holding cells. Others showed inmates talking together on a Friday night or being forcefully restrained.
But the cameras also revealed how more are being rolled into small businesses and residential neighborhoods. Companies like Ring and Google Nest advertise indoor and outdoor camera systems that can connect to the web, and some owners have reported hacks and cyberattacks that have exposed their inner lives to the web.
In several of the shared Verkada clips, children could be shown at play. In one clip, a girl dances in a community center gym on a Friday morning as other kids wait in line. No one seems to really pay attention to her, except us.
“Every video stream, sensor upload and digital trail we create is vulnerable to illegal interception by hackers and lawful acquisition by police,” Ferguson, the law professor, said. “The breach is unusual and terrible, but we probably should be more concerned with what we think is normal and fine about digital surveillance technologies.”
