A hacker group claims to have recently broken into the networks of cloud-based surveillance firm Verkada, a Silicon Valley startup that sells and manages security systems to thousands of organizations across the country.
Once inside the firm’s walls, the hackers were able to use its 150,000 live camera feeds to peer into the internal workings of countless organizations, including medical facilities, psychiatric hospitals, jails, schools and police departments, and even large companies like Tesla, Equinox and Cloudflare, according to a report from Bloomberg. The scope of the hack appears massive.
The hackers claim to have downloaded large amounts of data and to have witnessed private, confidential incidents that had transpired “behind closed doors” in the many institutions on which they spied.
The incident first gained public attention Tuesday afternoon, when a Twitter user who goes by the name “Tillie” began leaking purported images of the hack onto the internet: “ever wondered what a @Tesla warehouse looks like?” the hacker quipped, dangling a picture of what appeared to be an industrial facility.
Tillie, who goes by the full name Tillie Kottmann and uses they/them pronouns, has told multiple news outlets that they are part of an international hacker collective responsible for having breached Verkada. The group seems to go by the moniker “Arson Cats” and has also referred to itself as an “APT,” in reference to the “advanced persistent threats” label given to hacker groups by security researchers.
According to Bloomberg, “Arson Cats” gained entry to Verkada via a shockingly bad security blunder: The hackers discovered a password and username for a high-access administrative account that had been left publicly exposed to the internet. In a Twitter message, Tillie reiterated this to Gizmodo, claiming that once they had the high-access credentials (which unlocked a “super administrator” account), they were able to hook into any of the 150,000 video feeds in Verkada’s library.
“The access we had allowed us to impersonate any user of the system and access their view of the platform,” said the hacker, further explaining that the “superadmin rights are also what granted us access to the root shell at the click of a button.”
Kottmann, whose website shows they are an Android developer, claims to have been previously involved in some high-profile hacks—including ones involving Intel and Nissan. This recent hack may dwarf those, however.
Among other things, Kottmann claimed Tuesday that the hacker group could have used their access to sneak into the laptop of Cloudflare CEO Matthew Prince—and later boasted that, had they wanted to, “Arson Cats” could have “owned half the internet.”
In a statement sent to Gizmodo Tuesday, a spokesperson for Verkada said that the company had notified customers and that it was working to understand the extent of the hack: “We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and [a] external security firm are investigating the scale and scope of this issue, and we have notified law enforcement,” the spokesperson said.
Emails sent to Tesla and Equinox have not yet been met with a response. A representative from Cloudflare sent the following message:
This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised. The cameras were located in a handful of offices that have been officially closed for several months. As soon as we became aware of the compromise, we disabled the cameras and disconnected them from office networks. To be clear, this incident does not impact Cloudflare products and we have no reason to believe that an incident involving office security cameras would impact customers.
The interesting thing about this hack so far has been the loudly “hacktivist” tone to the whole thing. “Arson Cats” has very noticeably courted public attention, calling their intrusion campaign “Operation Panopticon” and claiming they want to “end surveillance capitalism” by bringing attention to the ways in which ubiquitous surveillance dominates people’s lives. They also seem to identify as anarchist, with Kottmann claiming to have no affiliation with any “nations or corporations.”
When questioned as to the political intent of the hack, Tillie said that part of it was the fact that they hated “surveillance capitalism”:
“Yeah i guess i hate capitalism in general, surveillance capitalism being an especially horrible and disgusting part of it,” the hacker told Gizmodo via Twitter. “however the insight having access to these camera feeds has given us has also been a very interesting way to see things we all know happen behind closed doors, but usually never get to see.”