MADISON COUNTY, Ala. – A group of hackers claims to have breached over one hundred thousand cameras located in facilities all over the country, including at the Madison County Jail. The report originally came from Bloomberg on Tuesday, stating the common thread is the tech startup called Verkada, who manufactures the cameras.
“If somebody has enough time and the skill set, it’s actually fairly easy to compromise a lot of these systems,” said Huntsville cybersecurity company CEO Jarrod Hardy.
Hardy owns technology company Xyston. “we’ll find vulnerabilities and we’ll find ways to compromise so we can do it before the bad guys do,” Hardy said.
His team works with businesses to find gaps in their security using the same methods as one hacker claiming partial responsibility for the Verkada breach, calling themselves Tillie Kottmann.
We spoke to Kottmann and they told us the group calls themselves ‘Advanced Persistent Threat 69420,’ and their goal is to expose vulnerabilities in these networks.
In a statement with News 19, Kottman said, “We could have accessed any cameras or clips we wanted to from any place during the entire time of our engagement which was probably around 36 hours.”
Kottmann sent News 19 a file filled with evidence of that claim, many visuals from Madison County’s jail, even including interviews of what appear to be investigators questioning a man in handcuffs, with clear audio.
Hardy said a breach like this is one any mid-level hacker could accomplish, and many companies use smart technology just like Verkada’s.
“The unfortunate thing is we use them every day and we depend on them heavily for what we do in our daily lives and unfortunately if they don’t have the proper security measures in them, they can be compromised like what we’ve seen here in Huntsville,” Hardy said.
Kottmann agreed, stating this hack, which also gave access to some of the largest companies in the world, like Tesla, proves online surveillance camera systems are vulnerable.
“Its mostly just a thing of patience and maybe a bit of technical knowledge that was required to find this,” Kottmann said.
Kottmann and Hardy agree in saying many companies skimp on investing in what are called “pentests,” ensuring a company’s information is secure not only for their own safety, but their customer’s as well.
“I think we’re still in a phase in the U.S. where we’re trying to promote more of that kind of pentest and those sort of engineering activities and services so that we can protect these systems and prevent these kinds of situations,” Hardy said.
Kottmann is looking to the more immediate future, offering their advice to those impacted by their group’s breach:
“I don’t think anyone should trust this company ever again, after this,” Kottmann said. “Ideally you should immediately disconnect all cameras from your network,” Kottmann said.