In the latest of the seemingly endless string of IoT security incidents, Verkada—a video security startup that boasts its real-time, accessible-from-anywhere management console—was recently breached. This incident exposed live and saved video feeds from over 149,000 security cameras in use within office buildings, schools, and consumers’ homes, counting larger businesses such as Tesla and Cloudflare among the victims. In this breach, an administrator’s password was published to the internet, allowing hackers to log in with privileged access to the full platform and customer files.
The ThreatLabZ research team regularly monitors IoT threats among the 150+ billion Zscaler platform transactions that occur daily, and listed IP and network cameras among the top unauthorized devices in use on corporate networks in its 2020 IoT Devices in the Enterprise report.
Typically, the threat posed by IoT cameras is that the devices themselves are easy to hack, providing attackers access to corporate networks as employees check their nanny cams from work or engage in similar activities. These types of exploits pop up regularly, such as the RIFT botnet, which looks for vulnerabilities in network cameras, IP cameras, DVRs, and home routers.
This latest breach, however, represents a different type of security concern that is not exclusive to IoT devices (and certainly not exclusive to Verkada): vendors in your environment who may be storing data with inadequate protections. As a security practitioner, you must be aware of the security protocols in place for all of the sensitive data in your ecosystem, whether you manage it yourself or a vendor manages it on your behalf. Failing to do so is like having someone in your pandemic bubble whose behaviors you have no visibility into: you hope they aren’t going to raves every weekend, but you have no way to really know whether you’re safe.
There are a few takeaways we can learn from incidents like the Verkada breach:
Every breach story is another reason to take steps forward in your journey to comprehensive zero trust. To learn more about IoT security trends and best practices, check out the ThreatLabZ report, 2020 IoT in the Enterprise: Shadow IoT Emerges.