Hacktivists breach Verkada and view 150,000 CCTV cams in hospitals, prisons, a Tesla factory, even Cloudflare HQ A CCTV camera biz which left an admin account username and password exposed on the World Wide Web has, you guessed it, been targeted by hacktivists. Verkada, makers of internet-connected surveillance devices, had around 150,000 cameras and archive footage accessible through its web infrastructure when unauthorised folk went …
This type of story is so typical of the current state of affairs in the "connected" world.
"Use the cloud" they told us. "It will be great and cheap" they sold us.
Being a technical type, I can only see with a great deal of cynicism on the current state of security. Constant breaches are the norm and still people think the cloud is so great. Good, Cheap, Secure; pick two, you can't have all three. That has not changed in all these years and it never will. When does management learn? Probably only when they will be made personally responsible.
The irony of course is that Verkada bills itself as the solution to all the other camera vendors being insecure. Maybe they need to reassess having half the company in sales, instead of engineering. Yet another wakeup call for operators of physical security systems (IoT) to get some religion around updating firmware, managing certificates, and more comprehensive password management (i.e. what IT security has been doing for years).
From an interview with Filip Kaliszan, CEO of Verkada, on Verkada's own website: https://www.verkada.com/blog/verkada-enterprise-security-startup-1-point-6-billion-dollar-valuation/
Q: What are your retention metrics? What causes people to cease using the service?
A: For today’s businesses, security is not an option - it’s a necessity. Unless a customer has a compelling reason to switch to another platform, Verkada is exceptionally sticky. That’s due mainly to the nature of our system. With security infrastructure, there’s a significant upfront commitment from the customer: she has invested both in the hardware and the labor to physically install a system throughout her buildings.
These camera platforms are all nightmarishly bad.
Worse, if you try to compete with the crap china is dumping on the market, you'll go bankrupt. Unless you bin and blacklist every camera in the IP era it will never get better. All of these little horrors should only be allowed on an air-gapped network, and have no direct access to the internet.
But I'm not holding my breath on the current leadership setting any kind of standards for IP cams, so the standard shall remain substandard.
> All of these little horrors should only be allowed on an air-gapped network, and have no direct access to the internet.
Exactly, if I want to see who is at my house while I'm at work I call my in-house security team (who operate from a secret bunker below my fish pond), they connect to the air gapped camera, copy the footage onto 16mm film and after developing it drive it and a projector around to my office.
Five years? You are too optimistic of the current generations attention span.
Products older that two years are obsolete and planned to be obsolete. No need to remember them. Soon you will be able to buy your gadgets with a "forget" button so you may get a new one without prejudice.
Closed Circuit TV. Not IoT TV. Why was this video even technically accessible outside the organizations that installed this supposed "CCTV" system?
It's one thing to stream / offload locally encrypted dumps in case something burns down or disappears. It's another thing entirely, and arguably far from CCTV, to have outside contractors / employees able to view your creepy IoT camera network!
Genuinely curious: Does this trigger any GDPR consequences around use of biometric data against the idotic afflicted organizations?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
