https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams?sref=ohmtMHdW
Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals
This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised,” San Francisco-based Cloudflare said in a statement. “The cameras were located in a handful of offices that have been officially closed for several months.” The company said it disabled the cameras and disconnected them from office networks.
Representatives of Tesla and other companies identified in this story didn’t immediately respond to requests for comment. Representatives of the jails, hospitals and schools named in this article either declined to comment or didn’t immediately respond to requests for comment.
A video seen by Bloomberg shows officers in a police station in Stoughton, Massachusetts, questioning a man in handcuffs. The hackers say they also gained access to the security cameras of Sandy Hook Elementary School in Newtown, Connecticut, where a gunman killed more than 20 people in 2012.
Also available to the hackers were 330 security cameras inside the Madison County Jail in Huntsville, Alabama. Verkada offers a feature called “People Analytics,” which lets a customer “search and filter based on many different attributes, including gender traits, clothing color, and even a person’s face,” according to a Verkada blog post. Images seen by Bloomberg show that the cameras inside the jail, some of which are hidden inside vents, thermostats and defibrillators, track inmates and correctional staff using the facial-recognition technology. The hackers say they were able to access live feeds and archived video, in some cases including audio, of interviews between police officers and criminal suspects, all in the high-definition resolution known as 4K.
Kottmann said their group was able to obtain “root” access on the cameras, meaning they could use the cameras to execute their own code. That access could, in some instances, allow them to pivot and obtain access to the broader corporate network of Verkada’s customers, or hijack the cameras and use them as a platform to launch future hacks. Obtaining this degree of access to the camera didn’t require any additional hacking, as it was a built-in feature, Kottmann said.