The Verkada breach is not (only) about security

Verkada is a tech company founded in 2016 that offers surveillance solutions for enterprise customers. This is how they describe themselves on LinkedIn:

Earlier today, news broke that hackers were able to gain access to Verkada’s “Super Admin” feature which allows the user to see live and archived footage of Verkada customers. Over 150,000 security cameras were exposed, and affected customers included Tesla, US jails, and hospitals.

This is terrible, of course. Any security breach at a company that provides surveillance as a service is bad news for clients, and anyone who was taped.

I see you :)

Tillie Kottmann, one of the hackers who claimed credit for the incident, said they wanted to show the pervasiveness of video surveillance and the ease with which those systems could expose users’ confidential spaces.

Mission accomplished, I’d say. Unauthorized access to surveillance is a nightmare. Consider me spooked.

But this isn’t the full story. What was going on before the hack is disturbing in its own way. Verkada’s privacy policy is a good place to start:

Footage isn’t part of the “some information” that remains on the individual device.

Now you might ask what the issue is. Doesn’t everyone collect data? Don’t Google and Amazon do the same?

Sure, but (a) that doesn’t make it right, and (b) you’ve then got to keep it strictly first-party, like Google.

Which isn’t really the case:

There are third parties who can get “personal information”? And what’s a ‘reasonable business purpose’?

Third parties complicate things. The third parties have an agreement with Verkada, not Verkada’s customers. To know what could happen with your data, you then have to look up the privacy and security practices of these third parties. And it might go even further than one or two levels…

There is also the fact that the privacy policy does not detail any internal access restriction on this data. Lack of any mention of that on this and other privacy policies should be concerning. While it is understandable that a software service company might allow data access to a core team to enable product analytics and feature enhancements, some detail would be great given the sensitivity of this and other services. If not, couldn’t technically anyone from the CEO to the front-desk receptionist be able to gain access?

Turns out, that is exactly what was going on at Verkada. Below is a quote from the Bloomberg article on the incident:

The use of Super Admin accounts within Verkada was so widespread that it extended even to sales staff and interns, two of the employees said. “We literally had 20-year-old interns that had access to over 100,000 cameras and could view all of their feeds globally,” said one former senior-level employee, who asked not to be identified discussing private information.

The article goes on to mention that while there was a ‘process’ where employees had to fill out their reason for wanting access, enforcement was lacking, to say the least. Nobody was checking the logs, so people could put whatever they wanted in the reason notes, even whitespace. This also implies there was no level or role restriction — Follow some steps and you’re in.

Little wonder, then, that hackers were able to find a way in eventually.

While it can be tempting to lay the blame squarely on Verkada’s lax data security for this, it is worth noting that the damage potential of a security leak is often proportional to the weakness of user privacy.

If access was first-party and role-restricted, the hackers would have had a harder time getting in. However, if footage never left the device that was filming it, the hackers would’ve had nothing to find even if they got in.

Security is about keeping user data safe. Privacy is not collecting it in the first place.

It can also be tempting to think this is an enterprise surveillance problem, but reflect for a moment about services you might be using — Your laptop’s webcam. Your Chrome extensions. Your voice assistant. Your video calling app. Some modern conveniences might be essential to you, but it’s always a swell idea to ensure that you factor in good privacy when choosing a service.

Football. Anime. Manga. Tennis. Words.