Last week’s Verkada Inc. security camera breach has caught the attention of many as the newest “hair-raising” violation in the world of enterprise IoT.
Most are aware by now that an international hacker collective called “Advanced Persistent Threat 69420” broke into a massive stockpile of live feeds from Verkada’s web-based network of security cameras. The breach left sensitive and private video surveillance footage from its customers hacked and exposed, allowing the perpetrators to go so far as pivoting into separate corporate networks of some customer accounts.
The unfortunate incident exemplifies the extent of data security and privacy violations that can occur if video surveillance data falls into the wrong hands. Though investigations continue, lessons must be learned from this shocking incident.
Key Indications and Lessons to be Learned
The hacker’s were candid enough to divulge how they managed to orchestrate the breach, and it wasn’t out of the ordinary. Verkada’s security cameras were accessed via a publicly exposed super admin password that was readily available on the internet. After obtaining “root” access or—the authorization to execute any command on a device—the hackers weaponized the security cameras by executing their own code into them.
The weaponization and subsequent hijacking of the cameras made it possible to set up the devices as springboards to perpetrate secondary attacks and access the broader corporate networks of Verkada’s customers.
In light of the attack, two key indications jump out at us here at Palo Alto Networks:
- The ease with which hackers were able to obtain the admin password clearly indicates that best practices for unmanaged devices were simply not being followed at customer sites. In all likelihood, their security teams were not aware of the very existence of these security cameras in their organizations.
- The fact that hackers could access the broader corporate networks demonstrates that the best practice of segmenting the network to keep IoT devices partitioned from IT devices was not applied. Mixing IT and IoT devices on the same network allows malware to spread from vulnerable IoT devices to IT devices, or vice-versa, making it easy for actors to move laterally.
We believe having complete visibility of all devices in the organization is the first step towards protecting them.
We believe continuous risk assessment and enforcement of easily manageable trust-based security policies would have raised an alert to easily prevent this from happening.
Securing IoT is on Top of Our Mind
Last year Palo Alto Networks’ Unit 42 threat intelligence team analyzed 1.2 million IoT devices in thousands of physical locations across enterprise IT and healthcare organizations in the United States.
Our research revealed some astonishing facts about IoT devices in enterprise networks and reasons behind IoT-related cyberattacks.
- We found that while security cameras make up only 5% of enterprise IoT devices, they account for 33% of all security issues. The large scale Mirai attack of 2016 that compromised thousands of webcams is a good example to refer back to.
- 30% of network-connected devices in an average enterprise are IoT assets, yet most organizations have no visibility into them and fail to manage their security posture or risk profile.
- Weak passwords account for 13% of IoT threats. Operational misalignment between IoT device admins and IT teams is the main cause of password-related attacks.
- We found that basic network segmentation best practices that create a strong perimeter defense around network tiers aren’t being followed. In the case of healthcare, for instance, 72% of healthcare VLANs mix IT and IoT (or IoMT) devices.
IoT Security by Palo Alto Networks Protects All Devices—Including Security Cameras
Our IoT Security allows organizations to gain active control and full visibility into connected devices to natively secure them at scale. It provides risk-based policy recommendations to automate enforcement on the Next-Generation firewall, seamlessly integrating with your organization’s existing security posture.
Coming back to security cameras, we want to leave you with data that showcases how our IoT Security effectively helps discover, monitor and secure these devices. We recently surveyed over 135,000 active cameras from customer installed base, the findings are as follows:
- With machine learning, our IoT Security discovered over 134 types of cameras and surveillance devices.
- Over the course of the last 12 months, our IoT Security raised 99,000 alerts on the camera devices we monitor.
- Majority of the alerts raised on the camera devices are related to insecure application usage (such as FTP and HTTP) or the manufacturer’s default credential usage.
- 79% of all camera devices tracked by our IoT Security use clear text HTTP and FTP protocols.
- Out of the 134 types of camera devices tracked in our IoT Security database, 27.6% use a default manufacturer login credential.
- Out of all the individual camera devices we have surveyed from our customer installed base,
78.2% use a default manufacturer login credential.
- Among all the camera devices we monitor, 53.6% were found to have at least one vulnerability.
- A total of 575 vulnerabilities have been tracked in our database associated with camera devices.
The Verkada breach should serve as nothing short of a wake-up call to the growing problem of IoT-focused cyberattacks in enterprise environments. It should compel organizations to give serious thought to managing IoT’s risks in the interest of protecting their business operations from similar data security and privacy violations.
Connect with us to learn more about how our industry-first IoT Security protects every single device in your network while making single-purpose sensors a thing of the past.