Different IoT Breach, Same (In)Security Story, Broader Consequences

March 19, 2021 Andrew Silberman

Verkada IoT Security Breach

“I always feel like somebody’s watching me… Tell me is it just a dream?”

It may have been a dream in 1984 when “Somebody’s Watching Me” topped the charts, but today it’s real life: somebody is almost always watching. Security cameras live on street corners and traffic lights, in prisons, schools, hospitals, and gyms, around our homes, and in our workplaces. Like it or not, video surveillance is a huge part of how society protects its people and assets in 2021.

Many of these cameras are cloud-based and connected to company IT networks and infrastructure – sometimes even the same systems that store data and run applications. These cameras, together with billions of other “smart” devices that can connect with and “talk” to each other, make up the Internet of Things (IoT).

But what happens when these interconnected devices are not secured like other sensitive network assets? Last week, the world got a glimpse of when attackers successfully breached video security startup Verkada. According to reports, the attackers gained access to live feeds of about 150,000 IoT-enabled surveillance cameras – positioned over hospital ICU beds, within correctional facilities, in classrooms, and more – and exposed sensitive footage belonging to a number of the software company’s customers.

Attackers Scale Impact by Following a Familiar Path

In this latest IoT breach, it seems the attackers followed a familiar path – one we’ve seen far too often. They reportedly targeted credentials, locating a user name and password for a Verkada admin account exposed on the internet. With this, they were able to move freely throughout the network as if they were a support team member performing bulk maintenance operations on cameras. It was later confirmed more than 100 people within the organization had “super admin” access to this powerful account, each of whom could access thousands of customer cameras.

In a public statement, the company wrote, “In gaining access to the server, the attackers obtained credentials that allowed them to bypass our authorization system, including two-factor authentication.”

Additionally, by gaining root access to the cameras, the attackers could potentially use them to execute their own malicious code, reported Bloomberg. And in some cases, this privileged access could allow them to “to pivot and obtain access to the broader corporate network of Verkada’s customers, or hijack the cameras and use them as a platform to launch future hacks.”

The Great IoT Security Debate

There is much discussion on how to tackle the IoT security challenge, with responsibility at the crux of the debate. Is it the manufacturer that must design and build secure devices from the start? Or is it the customer’s responsibility to strengthen protections – from individuals changing default passwords on devices in their homes to enterprises removing hard-coded passwords and beefing up endpoint security for network-connected IoT devices? There’s an industry-wide push for more standards and guidelines to help clarify these big questions, and most agree there’s much work to be done before we have a clear path forward.

The good news is consensus is growing that IoT devices – especially those used by enterprises and government agencies – must be treated with the same attention and gravity as traditional IT systems. The bipartisan IoT Cybersecurity Improvement Act marked a major milestone in this push. But attackers aren’t waiting around. On the contrary, they’re growing in confidence and precision and increasingly targeting the digital supply chain to scale their impact, demonstrated in both recent Verkada and SolarWinds breaches.

IoT represents a potentially massive attack surface, and no matter how strong an organization’s in-house security practices may be, attackers can sometimes circumvent them. For example, IoT devices often receive wireless firmware updates, and this can present an easy target for compromise.

It’s Time to Get Smart About Smart Devices

Smart IoT devices simultaneously represent some of the greatest innovations and the greatest challenges for the modern workplace. Here are a few ways your digital business can get smarter (and more secure) while using them:

  1. Catalog connected devices in your network. Identify every device on the network (including “BYO” devices) and understand what it does. This includes cameras, printers, doorbells, audio-visual equipment, HVAC systems, or anything else that connects to the internet and/or calls itself “smart.”
  2. Manage devices centrally. IoT devices are often manufactured with built-in or hardcoded passwords – making them easy targets. Replace these with strong, unique passwords, and automate credential storage, rotation, and management to minimize the risk of human error.
  3. Disable automatic root access. This is typically built into IoT devices such as security cameras. Yes, that level of access will be needed on occasion, but even trusted users should have to jump through a few hoops to validate their identity and access path to get it. Which brings us to number four…
  4. Implement the concept of “least privilege.” Limiting what people and devices have access to in a network is one of the best ways to reduce your attack surface and keep attackers from causing harm. Before granting access, always verify the identity, validate the device, then limit access to just what is needed – and remove it when it’s not.
  5. Secure remote access. To counteract the inherent weaknesses of IoT, limit remote access (for firmware updates, maintenance, and more) to verified parties, locations, and established ports.

Who Watches the Watchmen?

The Verkada breach showed us the dark and very dangerous side of the IoT. In its aftermath, new questions are swirling on how surveillance technology should (and should not) be used, how sensitive data should be stored and how access to this data should be managed. Beyond emphasizing current IoT risks, this attack has the potential for far-reaching privacy and regulatory implications, including HIPAA.

While connected cameras are making headlines today, the reality is that any device, endpoint, server, or system that connects to the internet, in any fashion, represents a potential vulnerability. In most enterprises today, more than 30% of all network-connected endpoints are IoT devices – and that’s not even counting mobile devices. Don’t wait for consensus on standards or push it down the priority list: the time to address IoT security in your organization is now.

Previous Article
The CISO View Executive Summary: Protecting Privileged Access in a Zero Trust Model
The CISO View Executive Summary: Protecting Privileged Access in a Zero Trust Model

A summary of peer-to-peer CISO recommendations on how to protect privileged access in a Zero Trust Model.

Next Article
The CISO View 2021 Survey: Zero Trust and Privileged Access
The CISO View 2021 Survey: Zero Trust and Privileged Access

100 senior security executives provide their perspectives about the risks and priorities of Privileged Acce...