The Madison County Jail Located in Huntsville, Alabama Was One of Dozens of Companies Whose Security Cameras Were Hacked on Tuesday March 9, 2021
(Huntsville, AL) Bloomberg was first to report that a "hacktivist" group was able to gain access to over 150,000 security cameras made by a Silicon Valley company, Verkada, Inc. During the attack, hacktivists compromised cameras at jails, hospitals, schools, a Tesla assembly line, and countless other establishments around the country. But the attack also hit closer to home - the Madison County Jail.
This widespread level of intrusion is particularly sensitive where, as here, the attackers had access to privileged conversations in hospital rooms and jail interview rooms, and live look-ins at nearly all of the 150,000 security cameras. WHNT News 19 interviewed Xyston CEO Jarrod Hardy about how this attack took place and how similar attacks can be prevented in the future. It goes without saying that this level of access presents a significant risk to those charged with protecting such sensitive information.
Photo Courtesy of Bloomberg News. Attackers provided a screencap of the Madison County Jail as proof of the attack.
To put it bluntly, the attack itself was rather unsophisticated. According to WHNT, the attackers were able to obtain a password to a so-called "administrator account" through what the attackers described as a "publicly-accessible server." While the hacktivists did not reveal the exact method used to retrieve the password, it is highly likely that the server itself was compromised to some extent, which allowed the attackers to gain either an encrypted or unencrypted version of the password and/or login credentials. The attackers then proceeded to use a series of vulnerabilities in the cameras to exploit the devices and carry out the attack. While these vulnerabilities may have seemed minor or even acceptable at the time, added together they created an avenue of attack. According to Bloomberg, Verkada is working with the FBI and has not disclosed any details of the attack due to the ongoing nature of the investigation and response. Verkada has publicly announced, however, that the password has been changed.
To carry out the attack, first each camera contained a "Debug Mode." In this mode, an administrator at Verkada HQ could gain remote access to the device. The most likely reason for this feature was to be able to provide tech support in the event a camera malfunctioned or a user needed help. Second, all cameras used the same username and password to access the "Debug Mode". This was most likely done as a way for any IT admin at Verkada to quickly access each camera. But this was a huge cyber security risk because a single compromised password could be (and was used) to access all cameras. Finally, once the "Debug Mode" was activated it acted as "root," which, effectively gave the admin complete and total control of the camera, its images, stored videos, advanced AI facial recognition, meta-data on the individuals pictured, and any other data stored on the camera. As a result of these three vulnerabilities coupled with the compromised password, the attackers were able to act as a "super admin" and enable "Debug Mode" on all cameras - thus gaining complete and total access to the live feed on over 150,000 cameras.
These Types of Attacks are Preventable With Proper Embedded Systems Penetration Testing
Perhaps the most frustrating part of the attack was its apparent simplicity and lack of sophistication, according to Xyston CEO Jarrod Hardy in an interview with WHNT. "If somebody has enough time and the skill set, it’s actually fairly easy to compromise a lot of these systems," Mr. Hardy said.
Xyston CEO Jarrod Hardy speaks with WHNT about the attack.
Mr. Hardy also pointed out that penetration tests (or more commonly, "pen tests"), just like those performed by Xyston, use the same techniques, methods, and strategies used by attackers to reveal how a real adversary could compromise an embedded system. To use the attack on Verkada's camera as an example, a company like Xyston could have worked with Verkada to uncover the vulnerabilities on its camera or worked with users of the camera (such as Madison County Jail) to explain the risks posed by the camera.
Xyston CTO Devin Madewell Points Out That Embedded Systems - Such As The Verkada Camera - Do Not Receive the Same Level of Scrutiny as Workstation Computers or Enterprise Servers
It is understandable to assume that a device used in hospitals, jails, and police departments are cyber secure. According to Bloomberg, Verkada claimed that its camera was "HIPAA compliant" and approved for more private areas, such as hospital rooms, where privileged conversations take place.
Xyston CTO Devin Madewell points out, "the majority of Pen Testing is done on enterprise workstations and severs while the security camera overhead or the badge scanner in front is ignored. Furthermore, the creators of these embedded devices have not caught up to the enterprise world in emphasizing security or taking advantage of the security practices existing. That is why we have seen an explosion of these type of attacks. CMMC doesn't fix this, traditional Pen Testing wouldn't reveal this - only Embedded Systems Pen Testing efforts could have exposed the vulnerabilities that lead to this major event: our local Jail being on the Global News."
Compliance Doesn't Reveal Vulnerabilities - Embedded Systems Pen Testing Reveals Vulnerabilities
Last October Mr. Madewell spoke at Rocket Secure 4 - a local Cybersecurity Conference on this very topic. During this talk he performed a live demonstration to show how these attacks happen and how a pen test can prevent them from happening in the first place. The process of Embedded Systems Pen Testing is rather simple - beginning with a scan of the plethora of publicly available information and quickly ramping up in sophistication to include complex analysis of embedded firmware. In the end, an extensive vulnerability report is compiled along with recommendations, remediations, and mitigations to those vulnerabilities and presented to cybersecurity leadership.
In Verkada's case, a pen test would have revealed the three vulnerabilities and provided Verkada's cybersecurity leadership with a report outlining the single point of failure they presented. Instead, Verkada was either unaware or unable to fix these vulnerabilities. Unfortunately, now it is too late and dozens of companies, hospitals, jails, and others have been forced into "cyber response" mode.
As We Rely More On These Systems We Must Trust But Verify
Finally, while this particular set of hackers claimed to have done no damage to the systems they compromised, a more nefarious attacker could have left a wake of destruction. "Root" access allows for the installation of backdoors and rootkits which can render the device permanently compromised. They could have used the cameras as a launching point for other separate network attacks and pivoted to other devices. Many - if not all - of the cameras were on closed networks which could have revealed even more data to the attackers. Ultimately, in order for the attackers' claim of "no damage done" to be confirmed, a thorough Embedded Systems Pen Test may need to be conducted. This will also verify that no malware or other compromises were left on the devices.
As embedded systems grow in use throughout our world the need for Embedded Systems Pen Testing grows with it. More attacks will occur as businesses and consumers try to catch up to the growing threat of cyber attacks. Companies like Xyston mitigate this threat by becoming the bad guys before the bad guys even have a chance.
As we like to say: it's better to hear about a critical vulnerability from us instead of the news.
Sources used in this Post:
For more information on how to order an Embedded Systems Penetration Test or for questions please feel free to contact us!