In 2016, Verkada CEO Filip Kaliszan founded his Silicon Valley company with a specific vison in mind: “…to build the world’s safest and most sophisticated physical security systems.” On March 12, Kaliszan admitted that Verkada fell short, apologizing to the security firm’s clients, including 24,000 organizations.
For three days, hactivist group cheekily named Advanced Persistent Threat 69420 had video and audio access to the goings on of Verkada’s vast client list, including but not limited to schools and hospitals; gyms and prisons. Kottman, a member of the hacking collective, is open about their mission, which they admit is driven by “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”
The breach is not so fun for Verkada. In fact, the breach highlights the irony of a security company leveling-up the industry by going hi-tech, utilizing IoT and ML technologies doing anything but, by losing 150,000 of its live-feed security cameras to the eyes of someone else. To call it a hack is almost a misnomer. The hactivist group happened upon Verkada super admin login details that were publicly leaked on the internet. Super admins are able to look across an entire network, giving the hackers free reign to spy, pry, and even control networks—including cameras—at their whim.
Related: Realizing Cyber Security Resilience
The push and pull between security and privacy is the bigger story here. These days, the neighborhood social network Nextdoor is flooded with Nest videos with titles like, “Suspicious man goes through my trash,” or, “This woman didn’t pick up after her dog.” Does affordable and attainable mass surveillance make us more secure or less? It depends who you ask. Kottman believes the hack “exposes just how broadly we’re being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit.”
For what it’s worth, Kaliszan disagrees, saying, “From the beginning, we understood that video surveillance is a powerful tool and that privacy controls for our customers, their employees, and their clients would be paramount. That is exactly why we structured our business to give full data ownership to our customers and laid out a clear privacy framework. We have always aimed to strike the right balance between ensuring full control for our customers and maintaining just enough access to provide the best product and customer support.”
As with most things, the best path forward is somewhere in the middle. In the meantime, Verkada is doing its best to make things right. They have pivoted their engineers to focus more heavily on security, trust, and privacy and hired Mandiant and Perkins Coie to audit the company’s systems. Lastly, understanding the importance of transparency, Verkada is conducting weekly customer webinars where clients can ask questions and express concerns.
For better or for worse, IoT surveillance is the future. Verkada got lucky that hactivists discovered this particular vulnerability, but future hacks could be much worse. From ransomware to good old-fashioned blackmail, cloud-based smart security opens the door to the next level of exploitation for gain, should smart security systems fail to safeguard the very people they’re tasked with keeping safe.
Read More: Incident Of The Week