Last week, Silicon Valley-based Internet of Things (IoT) security and surveillance provider Verkada announced a major cyberattack, which allowed hackers to gain access to live feeds and archive video associated with 150,000 cloud-connected devices. Most organizations affected by the attack found out about it when their surveillance images—including footage from inside prisons, hospitals, and software providers—started circulating online. The attackers were able to gain access to the command-and-control systems of these cameras, which gave them unfettered access to cameras in organizations across the world.
Whenever there is a cyberattack of this nature, it leads people to question the security of cloud solutions. However, this shouldn’t cause general fear, uncertainty, or doubt around using systems that have a cloud architecture. A well-designed cloud system is perfectly secure.
While the details of the compromise are not yet available to the public, there are several hints as to the vulnerabilities of this specific hack, and some key actions enterprise IoT users can take to protect themselves against similar attacks.
“The attack targeted a Jenkins server used by our support team to perform bulk maintenance operations on customer cameras.”
– A note from CEO Filip Kaliszan, Verkada
The system was compromised by accessing a vulnerable support server. The fact that a support server has either direct access to the command-and-control of cameras themselves, or the fact that it could be used to penetrate another system with access, suggests vulnerabilities in the vendor’s overall design. Simply, their network infrastructure is not configured with a model of zero trust. Founded by former Forrester Vice-President and Principal Analyst John Kindervag, zero trust is a security framework that reduces the potential for data breaches by removing default trust/access to systems, even those within the firewall.
“…we have no evidence at this time that this access was used maliciously against our customers’ networks.”
Filip Kaliszan
If the IoT device is installed within a corporate network, it’s easy to setup the network so devices don’t have access to anything within the network. VLANs and Layer 2 switching make physical separation of networks easy, and can avoid security concerns. Most hacks are not due to the inherent security of the solution, but the mistakes made in securing it.
Enterprise IoT customers can also ensure that any connected device coming into the organization is updated from default passcodes or admin passwords. In an interview regarding the Verkada breach with CCTVBuyersGuide, Asaf Hecht, Cyber Research Team Leader from CyberArk commented, “The potential for breaching common IoT devices, like security cameras, is something we’ve been talking about for years. Cameras, much like other hardware devices, are often manufactured with built-in or hard coded passwords that are rarely, if ever, changed by the customer.”
“While we can’t be sure that’s what happened in this case, recent breaches certainly have ‘scale’ in common, demonstrating attackers’ growing confidence and precision – and ability to efficiently extrapolate weaknesses for impact.”
Is Sera4’s Teleporte cloud solution for keyless access control safe?
TL;DR YES!
At Sera4, we easily argue that our Teleporte cloud architecture enhances your organization’s security.
Cloud Security By Design
Teleporte implements a network design that doesn’t have support servers connected to our private cloud. Teleporte implements its services in independently ISO 27001 managed data centers; there is no dependence or connectivity on support servers in our office. The office is a place to work—not a place we depend on to run our products.
Teleporte, when implemented in the cloud instead of an enterprise network, means our customers don’t have to worry about compromised systems affecting Teleporte services—and neither do we. Internal enterprise systems, and even your employees, don’t have direct access to the Teleporte servers.
Finally, Teleporte locks and lock controllers don’t have IP addresses. They aren’t directly connected to the Internet, and as such can’t be opened en mass by an external hacker. Equally, they could never be taken over to compromise your enterprise network.
Cloud Security By Experts
Ultimately, there are many examples of products that operate effectively from the cloud. The best cloud products were built by experts who approach products and solutions with a security first mindset. The Sera4 team is comprised of network, mobile, and embedded experts, and a security first approach is in our DNA. Our solutions were purpose built to provide the most secure, scalable, and reliable keyless access control on the market. Book a demo of our Teleporte solution and you’ll find that the decision is easier to trust than the alternatives.