More than 100 employees at security camera startup Verkada Inc. could peer through the cameras of its thousands of customers, including global corporations, schools and police departments, according to three former employees aware of the company’s security protocols.
Verkada was breached on Monday, when hackers gained access to what’s known as a “Super Admin” account that allowed them to see all of the live feeds and archived videos of Verkada’s customers, Bloomberg reported. With access to 150,000 cameras, the hackers were able to see inside Tesla Inc., as well as watch police interviews and witness hospital employees tackling a patient.
The use of Super Admin accounts within Verkada was so widespread that it extended even to sales staff and interns, two of the employees said. “We literally had 20-year-old interns that had access to over 100,000 cameras and could view all of their feeds globally,” said one former senior-level employee, who asked not to be identified discussing private information.
The San Mateo, California-based company said the access was limited to those employees who needed to address specific engineering or customer issues and that it had strict policies in place to protect its customers’ privacy.
“Verkada previously limited access to internal administrator accounts to engineers and support staff so they could address customers’ questions and technical issues,” a company spokesman said in a statement responding to questions from Bloomberg News. “Verkada’s training program and policies for employees are both clear that support staff members were and are required to secure a customer’s explicit permission before accessing that customer’s video feed.”
This week’s breach of the company was carried out by an international hacker collective based in Europe. Tillie Kottmann, one of the hackers who claimed credit for the incident, said they wanted to show the pervasiveness of video surveillance and the ease with which those systems could expose users’ confidential spaces.
Senator Ron Wyden, a Democrat from Oregon, echoed that point in reaction to the incident Wednesday. “Every hack like this one exposes the threat that government and private surveillance will be turned against law-abiding Americans by criminals, predators and spies,” Wyden said in an emailed statement.
It is unclear whether most Verkada customers knew its employees could peer through the cameras they purchased from the company. One former employee said it was implied that employees wouldn’t have access, but said engineers were routinely looking at people’s cameras every day.
At Verkada, like other companies, Super Admin accounts have legitimate purposes. They are used by engineers to debug products and support staff to assist clients with ongoing issues. But the ease with which the hacktivists gained access to so many live camera feeds suggested that there were limited technical measures in place at Verkada that would prevent its own employees from doing the same thing.
And weak security protocols left customers’ confidential spaces open to intruders, according to the former employees. Although using a Super Admin account normally required multi-factor authentication, any user could simply switch it off, one of the former employees said.
Some aspects of the use of Super Admin accounts with Verkada were previously reported by IPVM, a publication that covers the surveillance camera industry.
One employee said this week’s security breach might have been prevented, since the Super Admin issue had been raised repeatedly by some employees.
When an employee accessed a customer’s camera, the Verkada system required them to submit a reason for doing so. Those employee submissions were logged, but that documentation was rarely checked, a former employee said.
“Nobody cared about checking the logs,” the person said. “You could put whatever you wanted in that note; you could even just enter a single space.”
Verkada also offers a “privacy mode” to customers, allowing cameras to be hidden from Verkada employees, according to a former employee. But Super Admin accounts would allow employees to turn off that feature, allowing them to see the camera footage, the former employee said.
In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.