Verkada Breach Demonstrates Danger of Overprivileged Users

  /     /     /  
Publicated : 23/11/2024   Category : security


Verkada Breach Demonstrates Danger of Overprivileged Users


In re-evaluating supply chains, companies should classify vendors with super admin privileges to devices or backdoors as a significant threat.



Ubers God Mode. Hard-coded passwords in networking products. Rosenbridge processor backdoors. And now Verkadas super admin account that reportedly gave hackers — as well as more than 100 internal users — access to videos from tens of thousands of client cameras.
The list of massive security failures due to product or service architectures that give a single user or group unfettered privileges continues to grow. In the latest case, hackers gained access to a super admin account for the cloud service of security-camera startup Verkada, enabling them to view videos from nearly 150,000 cameras. Prisoners in county jails, factories for carmaker Tesla, and the offices of Internet-infrastructure firm Cloudflare were all viewable using privileged access, according to reports and hacker statements.
Accounts that have backdoor access to devices or unlimited service capabilities significantly undermine security — even more so as supply chain attacks have become more common, says Jeff Costlow, chief information security officer at ExtraHop, a cloud security firm.
Im OK with vendors having the ability to auto-update the device, he says. That means they have control over the source code. But that doesnt mean that they have control over the device any time they want.
The massive breach of privacy of Verkadas customers highlights that companies — often, startups — have not always adopted best practices for privileged access to systems. The lesson is learned with regularity, often when a vendors clients or customers have their security or privacy compromised.
A decade ago, for example, ride-share service Uber created a God Mode that gave
administrators access to any Uber users ride history
, leading to a variety of abuses, including spying on the habits of celebrities, tracking reporters movements, and stalking exes. Network and Internet of Things devices — from
Cisco
,
Ubiquiti
, and others — repeatedly have been found to have hard-coded or default passwords exposing the admin interface. And at the 2018 Black Hat Security Briefings, security research Christopher Domas
demonstrated a way to gain Ring-0 privilege on older processors
. While the technique was limited by the age of vulnerable processors, it demonstrated the prevalence of devices that have privileged access locked by a simple hard-coded secret.
Backdoors built by default into a product with a standard reused secret is a dangerous thing, says Ray Canzanese, director of the threat labs at cloud security provider Netskope. A leak of that secret means that anybody can now access any of those devices. And we, the industry, concluded long ago that is not a good approach to security.
Verkada issued an apology on Friday, acknowledging the breach of video and image data from a limited number of cameras, but also suggested the company will retain the ability to view any clients video stream. The video service will, however, create a better approach to logging access to customers data, has prioritized the hiring of security engineers, and has contracted with third-party security consultants to conduct a review, CEO Filip Kaliszan
said in the statement
.
While we already have robust logging and audit capabilities, we will ensure that customers receive proactive notifications whenever their data is accessed by Verkada, including by our technical staff, Kaliszan said.
While many vendors retain some level of access to devices and services, suppliers should review what privileges are necessary to maintain their products and services and clearly communicate that to customers, says ExtraHops Costlow. 
While a managed service provider is explicitly given access to devices, most businesses do not expect vendors to have the same level of access. Any such access should have significant controls, restrictions, and auditing in place, he says.
It is considered brittle security when you have one control protecting everything, and that is what appears to be the case here, Costlow says. Once you have access to one [credential], youve got access to everything — that is an anti-pattern. That is not the way that it should be designed.
On Friday Swiss authorities raided the apartment and seized the electronic devices of Tillie Kottmann, the hacker responsible for sharing video and images of the compromise,
according to a Bloomberg News report
. Tweets posted to Kottmanns now-removed Twitter feed suggest the hacker and possible associates — using the moniker APT-69420 Arson Cats — had targeted the companies seemingly out of pique.
APT-69420 wishes all companies affected a very have fun (sic) doing incident response, Kottmann tweeted, according to
a detailed Cloudflare blog post
responding to the incident.
The incident could have been much worse. Cloudflare, for example, said in its post that the breach only accessed the video cameras and that the companys implementation of a zero- trust architecture limited any breach.
[I]f we had been using the old castle-and-moat style of corporate networking (where anything and anyone on the corporate network are inherently trusted) the outcome could have been different, stated John Graham-Cumming, chief technology officer at Cloudflare, in the blog post. This is why Zero Trust is so powerful. It allowed us all to work from home because of COVID-19 and it means that an attacker who got into the office network doesn’t get any further.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Verkada Breach Demonstrates Danger of Overprivileged Users