Verkada, the Silicon Valley surveillance-camera vendor, disclosed yesterday that an unauthorised party had obtained super-administrator credentials to the company's customer-facing administrative tooling, and through that tooling had gained access to live camera feeds and historical recordings across approximately 150,000 cameras deployed at customer organisations including Tesla factories, hospitals, schools, prisons, and corporate offices (Verkada statement, March 9). The reporting in Bloomberg from Tillie Kottmann's account (Bloomberg, March 9) indicates the credentials were obtained through a publicly-exposed Verkada Jenkins server and were valid administrative super-admin credentials that did not require privilege-escalation work to use.
The trust model for cloud-managed IoT is the structural concern. Verkada's product proposition is the cloud-managed cameras-as-a-service — customer organisations deploy Verkada cameras and use the Verkada cloud platform for centralised management, recording storage, and access control. The product's value proposition relies on customer-organisation trust that the Verkada platform is operationally secure. The disclosure of administrative super-admin credentials accessible from a public Jenkins server demonstrates that the platform's operational security is, at the architecture-trust level, less than the customer-organisation expectation. The structural exposure is across the entire Verkada customer base simultaneously; no individual customer organisation could have detected the issue or prevented the exposure of its own deployment through any defensive measure.
The pattern is in the same family as the Cloudbleed disclosure of 2017 (cloud-CDN tenant exposure across all customers via a single vendor bug), the various supply-chain compromises of 2018-2020, and the Twitter Bitcoin-hack of July 2020 (internal-tooling abuse). The structural lesson is consistent: customer-organisation security posture is, in 2021, partly a function of vendor security posture, and the customer-organisation programme work has to incorporate vendor-trust-verification as a substantive discipline. The cost of that discipline is real and is increasingly central to vCISO programme conversations.
For the customer-portfolio response, the immediate question is whether any customer organisation runs Verkada cameras. The audit found one customer — the manufacturer's UK-side facilities-management vendor uses Verkada cameras at one site for visitor-management — and the customer-side response is in progress. The wider vCISO conversation about cloud-managed IoT platforms generally has been substantive this week. Several customer organisations are running other cloud-managed-IoT platforms (door access control, building-management systems, environmental sensors) where the same trust-model question applies, and the audit cycle for those platforms is being pulled forward.
The Verkada case has also produced a useful conversation about the boundaries of legal research activity. The Tillie Kottmann account that produced the disclosure was, on the Bloomberg reporting, a deliberate act of demonstration and disclosure. The legal exposure of that activity is non-trivial; the public-interest case for the disclosure is substantial; the boundary between security research and unauthorised access is, in 2021, contested in ways that the Computer Fraud and Abuse Act in the US and the Computer Misuse Act in the UK are working through. The case will produce litigation that will inform that boundary; the security-research community will be watching the proceedings with interest.
For the customer briefings, the operational lesson is the standard supply-chain-vendor-trust conversation but applied specifically to cloud-managed IoT. Several customer organisations have programmes underway that will, in 2021, deliberately reduce the customer-organisation reliance on cloud-managed IoT for high-sensitivity surveillance applications and move toward self-hosted or on-premises managed alternatives. The trade-off (cloud-managed convenience versus self-hosted control) is settled differently post-Verkada than it was a week ago.
I will return to this. The cloud-managed-IoT conversation continues.