Verkada, a silicon valley based security camera and solution provider suffered a massive hack recently, which exposed over 150000 cameras deployed in institutions such as hospitals, jails, etc.
Evaluating the current Verkada incident, brings to forth one thing! How a waterloo can happen on the surveillance and protection objective. It has been revealed in one stroke through the increasingly omnipresent eyes on the ceiling, Internet-connected cameras that capture our lives in ways many people may not realize — and incise them onto a Web that never forgets.
Scalability and security should go hand in hand
Cameras, much like other hardware devices, are often manufactured with built-in or hard coded passwords that are rarely, if ever, changed by the customer. “While we can’t be sure that’s what happened in this case, recent breaches certainly have ‘scale’ in common, demonstrating attackers’ growing confidence and precision – and ability to efficiently extrapolate weaknesses for impact,” says Asaf Hecht, Cyber Research Team Leader, CyberArk
While Verkada reportedly took the right steps to disable all internal administrator accounts to prevent any unauthorized access, it was likely too late. The attackers had already landed. Based on what’s been reported, this attack follows a well-worn attack path – target privileged accounts with administrative access, escalate privileges to enable lateral movement and obtain access to highly sensitive data and information – effectively completing the intended goal.
Most of these new age internets, connect technology services, solve the pertinent problem of enabling a solution, in a matter of click. But they are enabling these services at the cost of the controls and compliance whereby exposing their very own clients they serve. With a budding ecosystem of growing entrepreneurship newer business models of delivering services are being enabled. “As some of these services grow, they fail to ensure tighter controls in their compliance on the service ecosystem which they create leading to exploitation as they become widespread,” says Manoj Kanodia, CEO, Inspira Enterprise.
The solution
To effectively tackle this problem, an approach like PCI council should be adopted. “Any service which is launched in B2C or B2B customer segment, offered in a dedicated or cloud model, should have scalable compliance on the domains/ categories where they handle PII data (Video Surveillance, Tax transactions, etc) on a similar model as the payment systems,” suggests Kanodia.
The chipsets/encryption ecosystem embedded by the payment systems should also be adopted by these service providers/ products with their ecosystem of connected devices. We have already seen that the payment systems have now reached some reasonable level of security on exchange of data across various mediums. With improved power of embedded silicon & 5G connectivity, there should be minimum guidelines mandated based on the scale of the service provider. (Like the compliance level needed for the merchant based on the volume of transaction). This will enable the service provider to build his business and with growing volumes, ensure tighter security controls are embedded and monitored.
Any service, not complying to these standards will not be allowed to expand and should lead to closure of such services before they scale.
Potential impact
These kind of attacks will possibly lead to changes in certain to-be announced regulations. “What we’ll need to especially watch in this case is the potential for far-reaching implications for privacy regulations including HIPAA,” opines Hecht.
This problem will multiply by many folds with the advent of 5G across the globe and with availability of deepfake technology to enable creating social media chaos across all layers of the society. “Any hackers/social chaos creators will use this platform to create chaos easily. We have already seen these kinds of problems where fake and false narratives are set,” says Kanodia.