Thousands of Verkada cameras were easily accessible to employees as well as hackers.

According to new reports, employees at cloud-based surveillance firm Varkada had wider access to feeds from customers’ cameras. Bloomberg And The washington post.

Verkada’s systems were recently disbanded by a “hactivist” collective that gained access to more than 150,000 of the company’s cameras in locations ranging from Tesla factories, police stations, gyms, schools, prisons and hospitals. The group, which calls itself Advance Percent Threat 69420, stumbled across online log-in credentials for Verkada’s “Super Admin” accounts. He publicized his findings, saying They were “inspired by a lot of curiosities, fighting for freedom of information and against intellectual property, a large dose of capitalism, a sign of anarchism – and it’s also very funny not to do it.”

Now, anonymous Verkada employees say that the same “Super Admin” accounts hackers accessed were also widely shared within the company itself. More than 100 employees had super admin privileges, report Bloomberg, Meaning that these individuals can browse live feeds at any time from thousands of cameras around the world. A former senior-level employee told the publication, “We had 20-year-old interns with access to over 100,000 cameras and could see all their feeds globally.”

Verkada, meanwhile, says access was limited to employees who needed to solve technical problems or user complaints. Silicon Valley said in a statement, “Both Workada’s training program for employees and policies for employees are clear that it is necessary to support staff members and seek the customer’s explicit permission before accessing the customer’s video feed.” Bloomberg

.

The washington post, However, cites the testimony of surveillance researcher Charles Rowlett, who says that individuals with close knowledge of the company told him that Verkada employees could access the feed without customers’ knowledge. “People don’t realize what happens on the back-end, and they believe that these super-formal procedures are always in place when accessing the footage, and that the company will always need to give explicit consent,” Rowlett said said. But clearly this is not always the case. “

Another former employee told Bloomberg However, this document was not taken seriously when Varkada’s internal systems asked workers to explain why they were accessing the customer’s camera. “Nobody cared to check the logs,” the employee said. “You could put whatever you wanted in that note; You can enter only one location. “

Picture: Verkada

Verkada’s cloud-based cameras were sold to customers based on its analytical software. A feature called “People Analytics” allows customers to “search and filter based on individual characteristics, including gender traits, color of clothes, and even a person’s face,” said Vercada. said blog post. Their cloud-based system gave customers easy access to their camera feeds and enabled breech.

Hacker Collective Advanced Percent Threat 69420 (name is a node of taxonomy used by cyber properties to catalog United States-sponsored hackers with lamb numbers 69 and 420) They are aware of the public of such ubiquitous surveillance threats Wanted to get it done. A member of the group said the breach “exposes how widely we are surveying, and at least how the platforms are used to protect.” Bloomberg. “It’s just wild how I can see the things we always knew we were happening, but we never got to see.”