BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    Use Cases and Industries
    See All Products
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Dangers of IoT Privilege Management Blind Spots Exposed in Verkada Security Camera Breach

March 11, 2021

  • Blog
  • Archive

Let’s start with a candid discussion on IoT and Internet Security. If you are an IoT vendor, you bear some fundamental responsibilities to protect your company, infrastructure, and the security and privacy of your clients—whether they are other businesses you are selling to or consumers. You would absolutely want to architect and deploy a solution that in no way—EVER—could a single credential or account be used to jeopardize the trust and well-being of your clients and solution. Moreover, your customers should have every expectation that should be the case. Right?

With that in mind you would want these basic security controls in place:

  • Segregation of access to the IoT devices you service, this would include enforcing the separation of privilege concept. No one account should have access to everything—or much at all, for that matter.
  • Two-factor authentication enabled for all clients
  • Multi-factor authentication (MFA) enabled for all employees, vendors, and contractors
  • Restricted access to all sensitive accounts from only approved zones
  • Privileged credential management to rotate, manage, secure, and provide certification for all administrative accounts
  • An established workflow to allow access to the most sensitive accounts, adhering to just-in-time access models. This means any administration or elevation of privileges by IT, other users, or even tasks, should occur for the finite period necessary to complete a task. This is just smart enforcement of least privilege to reduce attack surfaces and threat windows.

Many of the above practices can best be implemented using privileged access management (PAM) and other identity-centric security solutions.

How did the Verkada IoT Breach Happen & What are the Implications?

Unfortunately for a provider of IoT cameras and support services, Verkada, and their customers, none of the above security best practices were enabled. On March 9th, Bloomberg reported a massive security breach into the Verkada network that exposed the live feeds of 150,000 security cameras used in jails, hospitals, and even companies like Tesla. The exposure revealed live feeds from some incredibly sensitive environments including women’s health clinics, psychiatric facilities, and even police departments.

As a former senior-level employee told Bloomberg: “We literally had 20-year-old interns that had access to over 100,000 cameras and could view all of their feeds globally.” The hackers were apparently stunned at just how easy it was to access such a vast trove of sensitive data for all of Verkada’s customer, remarking that it was “incredibly surreal”.

The mingling of Verkada customer data to a single, allegedly secure, location was purportedly for facial recognition services used to identity people captured on monitored footage. The threat actors claim they had full access to archives of full video for all Verkada customers, making the security and data privacy issues even more complex.

This leads us to consider some questions with profound data privacy implications:

  • Did organizations know that the live feeds could have been a beta version for facial recognition services?
  • Did organizations that enabled the beta facial recognition technology disclose to patrons or workers that facial recognition software was in use?
  • Did businesses and employees know or consent to data retention of their likeness being captured for archival purposes?
  • How does Verkada filter out, secure, or process, any intellectual property in the videos (if using object tracking)?

Could the Verkada IoT Breach have been Prevented or Mitigated? Yes.

This was not a sophisticated attack and, as speculated early on, the proper security controls were not in place.

In response to the breach, Verkada put out a statement saying, “We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”

The threat actors obtained “root” access to the Verkada cameras using built-in functionality that escalated their privileges to “Super Admin”. This superuser/root account permitted access to all of Verkada’s camera feeds, potentially jeopardizing security and privacy at every customer environment.

The web is littered with millions, even billions, of compromised credentials that attackers can easily feed into automated tools to make their jobs a cakewalk. That’s why uniqueness for every credential, and rotation for privileged credentials (including after each user for the most powerful credentials) is one of the most longstanding and basic of all cybersecurity best practices.

With the above in mind—the initial Verkada account compromise occurred due to exposure of a username and password for an administrative account on the Internet (single factor authentication)! From what is known about the breach and what the hacker group has claimed, no malware or advanced persistent threats (APTs) were involved in this breach. The compromised administrative account was also accessible from the Internet, with no monitoring or active response raised due to an inappropriate location attempting access.

Based on these facts, the privileged attack vector allowed the threat actors to infiltrate the environment, exfiltrate highly sensitive video feeds, and exposed critical flaws, giving bad actors the ability to:

  • View unrestricted, live camera feeds from hundreds of thousands of cameras including some from very sensitive environments, violating proper segregation of client data and separation of roles and responsibilities for administrators.
  • Login to critical systems via a single factor username and password for a company administrator, violating security best practices and potential regional regulatory compliance laws for secure privileged access to personally identifiable information (PII).
  • Circumvent credentials for individual client IoT camera feeds by using flaws built-in as features to existing camera infrastructure allowing privileged escalation. This means Verkada essentially undermined some of the security their customers could have implemented.

This breach is already triggering security and privacy concerns for government, corporate, and civilian agencies that, no doubt, will lead to a wide variety of lawsuits. The breach may also reignite legislation around IoT security and facial recognition technology.

While this is another breach added to the list of eye-opening security incidents in 2021, all companies should take notice—especially those providing IoT services via the web. If you provide IoT products and services, you should perform proper segmentation, but most importantly, implement secure administrative accounts using a privileged access management solution. A PAM solution can manage your privileged credentials according to best practices, remove unnecessary admin rights and granularly enforce least privilege, enable just-in-time access models, support separation of privileges, and much more. At absolute minimum, you should never allow single factor authentication for any privileged account.

Customers searching for IoT solutions should always ask if their cloud vendors are SOC and ISO certified. While not perfect, it does give a level of confidence that many of the cybersecurity malpractices responsible for the initial Verkada breach as well as the broad fallout, are not a concern.


Related Reading:

Privilege Password Management Explained (white paper)

Privilege Escalation Attack and Defense Explained (blog)

Universal Privilege Management (solutions)

Photograph of Morey J. Haber

Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust

Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Up next

From March 10, 2021:
Mitigating Privileged User Risk for Cloud & DevOps Environments
From March 16, 2021:
New Microsoft Vulnerabilities Report Reveals a 48% YoY Increase in Vulnerabilities & How They Could Be Mitigated with Least Privilege

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2021

Whitepapers

A Zero Trust Approach to Windows & Mac Endpoint Security

Whitepapers

KuppingerCole Executive Review - BeyondTrust Endpoint Privilege Management

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.