This is the important part. NOT that their network was not secured, but that anyone with a super-user account can simply view archived and live video feeds of any of their customers????
> The hackers’ methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet.
This really struck me also. I work in the relevant industry (we make cameras etc.) and there is always a bit of pain to get user footage. This is how it should be! To have everything from source code to customer material accessible to an admin is bottom-tier thinking. Why not just rename your "admin" to "GOD" and then ask yourself if you have any single point of failure?!
I do NOT want to sound smug, but there is a little bit of amateur hour going on here both from buyer and seller. High value and large targets (like airports) and more established sellers usually don't work like this, and that's for a reason.
It's not just that it's a single point of failure, it's that as a customer I do not want any admin who is feeling curious to be able to snoop on my footage with a click.
I don't know how "established" this company is, but their customers appear to include city governments, hospitals, and Tesla motors, which I would consider "high value and large targets".
Makes me suspicious of the whole industry. If others in the industry dont' want that, time for some industry codes and audits and self-regulation.
I've added a link to IPVM to the parent to my comment that might interest you!
Regarding established: I might be wrong! I willingly admit that I knew nothing about verkada some days ago. Seems to be relatively new (5 year-ish) and "classic" Silicon Valley in that they push hard for growth to get their valuation up and try to "disrupt" by running everything in the cloud. More sales people than R&D, which I think is uncommon.
Verkada runs full lock-in, so if you buy a camera from them you have to buy their services. This is again relatively uncommon. Most of the industry supports the ONVIF standard, so you can run the hardware you bought with different software solutions. If you want encryption at rest, no problem. You just make an on-premise solution with full encryption. With verkada you can't do that (incidentally verkada have mocked ONVIF due to alleged security concerns, but obviously it undermines their business model with full lock-in).
Since combining verkada and other hardware would require parallel systems I made an educated guess that most customers would be places without previous hardware and/or less concern for the long run. Most large and high value targets have previous hardware, but certainly there are exceptions. And as stated earlier, I might be wrong:)
And lastly, you should be suspicious! Last time I bought a car I was very suspicious. I like the car I did buy very much, but next time I will be just as suspicious again. That's how things should be when it's about trust and high impact.
Is that HIPAA-compliant? (Not sarcasm: I don’t know HIPAA rules enough to assess myself in the cloud-vendor / medical-institution scenarios we’re seeing here.)
“We did not exploit any flaws or vulnerabilities. The cameras have a built-in maintenance backdoor, which allows anyone with super admin privileges to access a root shell on any camera of any customer at the click of a button.”
> The hackers’ methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet.