The Verkada breach is not (only) about security
Verkada is a tech company founded in 2016 that offers surveillance solutions for enterprise customers. This is how they describe themselves on LinkedIn:
Earlier today, news broke that hackers were able to gain access to Verkada’s “Super Admin” feature which allows the user to see live and archived footage of Verkada customers. Over 150,000 security cameras were exposed, and affected customers included Tesla, US jails, and hospitals.
This is terrible, of course. Any security breach at a company that provides surveillance as a service is bad news for clients, and anyone who was taped.
Tillie Kottmann, one of the hackers who claimed credit for the incident, said they wanted to show the pervasiveness of video surveillance and the ease with which those systems could expose users’ confidential spaces.
Mission accomplished, I’d say. Unauthorized access to surveillance is a nightmare. Consider me spooked.
Now you might ask what the issue is. Doesn’t everyone collect data? Don’t Google and Amazon do the same?
Sure, but (a) that doesn’t make it right, and (b) you’ve then got to keep it strictly first-party, like Google.
Which isn’t really the case:
Third parties complicate things. The third parties have an agreement with Verkada, not Verkada’s customers. To know what could happen with your data, you then have to look up the privacy and security practices of these third parties. And it might go even further than one or two levels…
Turns out, that is exactly what was going on at Verkada. Below is a quote from the Bloomberg article on the incident:
The use of Super Admin accounts within Verkada was so widespread that it extended even to sales staff and interns, two of the employees said. “We literally had 20-year-old interns that had access to over 100,000 cameras and could view all of their feeds globally,” said one former senior-level employee, who asked not to be identified discussing private information.
The article goes on to mention that while there was a ‘process’ where employees had to fill out their reason for wanting access, enforcement was lacking, to say the least. Nobody was checking the logs, so people could put whatever they wanted in the reason notes, even whitespace. This also implies there was no level or role restriction — Follow some steps and you’re in.
Little wonder, then, that hackers were able to find a way in eventually.
While it can be tempting to lay the blame squarely on Verkada’s lax data security for this, it is worth noting that the damage potential of a security leak is often proportional to the weakness of user privacy.
If access was first-party and role-restricted, the hackers would have had a harder time getting in. However, if footage never left the device that was filming it, the hackers would’ve had nothing to find even if they got in.
Security is about keeping user data safe. Privacy is not collecting it in the first place.
It can also be tempting to think this is an enterprise surveillance problem, but reflect for a moment about services you might be using — Your laptop’s webcam. Your Chrome extensions. Your voice assistant. Your video calling app. Some modern conveniences might be essential to you, but it’s always a swell idea to ensure that you factor in good privacy when choosing a service.