An organization of hackers has accessed the security systems in facilities owned by several public and private organizations, including jails, schools, hospitals, police departments, and facilities used by Tesla, Nissan, Equinox, and Cloudflare. The hackers say their goal was to access security systems that included cameras to reveal the extent to which video surveillance has become prevalent and the ease with which they could be accessed due to lax security measures.
The hackers were able to get into Tesla’s security system by exploiting a loophole that gave it access to a Super Admin account normally used by Information Technology professionals. The security flaw apparently exists in software created by a security camera manufacturer called Verkada and enabled the hackers to access footage from a total of 150,000 cameras.
A Switzerland-based anti-corporation “hacktivist” group known as APT-69420 Arson Cats has claimed responsibility for the act. Group spokesman Till Kottmann says that they first accessed the systems on March 8 and were able to maintain access for 36 hours. Kottmann described Verkada’s system as a “fully centralized system” that provided a single point of failure and made the hack possible.
Twitter has suspended Kottman’s account since the hack. Although the reason is unclear, the spokesman could have posted hacked video footage to Twitter, which is a violation of its policies.
A Verkanda spokesman says that the company has shut down all administrator accounts in an attempt to avoid a repeat. The company is currently investigating the incident.
Tesla has not yet released an official statement on the incident beyond saying that the hack only accessed systems used by a supplier in the Henan province of China. On the flip side, the Arson Cats claim to have accessed systems at Tesla facilities around the world. According to some tweets by members, many of which are now suspended or may be suspended soon, they were also able to obtain footage of ICU beds and police officers questioning a suspect.
Previous attempts to breach Tesla’s computer security apparatus include actions taken by by a former employee named Martin Tripp, who allegedly attempted to steal sensitive company data for distribution to third parties in 2018. It is also currently suing a software engineer named Alex Khatilov for theft of sensitive documents and storing them on Dropbox, although Khatilov says that his copying of the documents was an innocent mistake and he had no intention of using them in an unauthorized manner.
Previous cyberattacks include an attempt by Russian nationals to bribe an employee to inject malware into the computer system at a Tesla facility. The attempt was thwarted due to a report by the employee, who said that the Russian national who attempted to bribe him bragged about previous cyberattacks in which they were able to hold sensitive information for ransom.
In this case, Till Kottmann says that the hack wasn’t for profit or even an attempt to steal sensitive information, but rather, an attempt to show how vulnerable Verkanda’s systems were and how prevalent surveillance is, including reaching into places that should reasonably be private, like beds in an ICU ward. She called the security “nonexistent and irresponsible,” making it easy to access with an unsophisticated attack like the one pulled off by her group. She provided the major news outlet CBS with images from the footage and told reporters that she was unworried about the possible consequences.