Insider Threatshigh

Verkada Security Camera Breach: Insider Sells Access to Hacker, Tesla and Cloudflare Exposed

A hacker group gained access to Verkada's internal admin tool through credentials found on the internet, viewing live feeds from 150,000 security cameras inside Tesla factories, Cloudflare offices, hospitals, jails, and police stations.

Verkada / Tesla / Cloudflare·2021·2 min read

Background

Verkada sells cloud-connected security cameras to businesses. Their admin "super admin" account had global access to every customer's camera feeds. In March 2021, the hacker group known as APT-69420 Arson Cats claimed to have accessed Verkada's admin portal.

The Attack

Attackers found Verkada admin credentials exposed on the public internet — reportedly on a GitLab repository or similar source. The super-admin credentials gave access to all customer camera feeds simultaneously. Attackers accessed live and archived footage from 150,000 cameras inside Tesla manufacturing facilities (including footage of a worker restraint), Cloudflare offices, Sandy Hook Elementary School, Tempe schools, women's health clinics, psychiatric hospitals, and county jails. One hacker stated the motivation was to expose the insecurity of mass surveillance systems. The group also accessed Verkada's internal network and customer data.

Response

Verkada disabled all internal administrator accounts to terminate access. The company notified customers and law enforcement. One hacker (Tillie Kottmann) was indicted on charges related to multiple corporate breaches. Verkada conducted a security review and redesigned admin access controls.

Outcome

The breach exposed footage from some of the most sensitive environments imaginable — schools, psychiatric facilities, healthcare providers, and law enforcement — simultaneously. The mass access enabled by a single super-admin credential demonstrated the systemic risk of cloud camera systems with centralised admin access.

Key Takeaways

  1. Super-admin credentials with access to all customer data must never be stored in code repositories or anywhere publicly accessible
  2. Video surveillance data from sensitive environments (healthcare, education, law enforcement) requires especially strict access controls
  3. Cloud-connected physical security systems create cyber risks that physical security teams must understand
  4. Single credentials providing access to all customers' environments is a catastrophic security design pattern

How to Prevent This

All guides
intermediate

Treat physical security and cybersecurity as one discipline, not two

A physical intruder who reaches a networked terminal has bypassed all your digital access controls. A cyber attacker who needs to install a hardware implant (as NSA TAO did with Cisco routers) must overcome physical security first. The Stuxnet weapon crossed an air gap via a USB drive — a physical act. Verkada's camera breach exposed live footage inside Tesla, Cloudflare, and schools because a super-admin credential stored on the public internet could reach every camera simultaneously. Physical and cyber security teams must share threat models, incident response processes, and access control policies. A camera system is a cyber attack surface, not just a physical one.

See: Verkada Camera BreachPhysical Security
security camerasadmin credentialssuper-adminlive video feedcloud surveillance

More in Insider Threats

2013critical

Edward Snowden and the NSA: The Insider Who Changed the World

2 min readInsider Threats
2010critical

Chelsea Manning: 750,000 Military Documents and Diplomatic Cables Released to WikiLeaks

2 min readInsider Threats
2018high

Tesla IP Theft: Engineer Emails 26,000 Confidential Files Before Joining Competitor

2 min readInsider Threats