Security Camera Vendor Faces FTC Action for Lax Security Practices
The Federal Trade Commission (FTC) has proposed a $2.95 million penalty against Verkada, a security camera vendor, for multiple security failures that allowed hackers to access live video feeds from 150,000 internet-connected cameras. The FTC alleges that Verkada not only failed to implement basic security measures but also misrepresented its products’ security to customers.
Verkada’s Security Lapses and Misrepresentations
The FTC’s investigation revealed that Verkada had a history of security lapses and misleading claims about its security practices. Here are the key findings:
- March 2021 Breach: A group of hackers, known as APT-69420 Arson Cats, exploited a vulnerability in Verkada’s customer support server, gaining admin-level access to the company’s Command platform. This allowed them to access live feeds from 150,000 cameras, including those in sensitive environments like women’s health clinics, psychiatric hospitals, prisons, and schools. The hackers extracted several gigabytes of video footage, screenshots, and customer details.
- December 2020 DoS Attack: A hacker exploited a flaw in a legacy firmware build server within Verkada’s network, installing the Mirai botnet to launch denial-of-service (DoS) attacks. Verkada did not realize the compromise for two weeks until Amazon Web Services (AWS) flagged suspicious activity on the breached server.
- Misleading Security Claims: Verkada claimed to use “best-in-class data security tools and best practices” to protect customer data. However, the FTC found that Verkada failed to implement basic security measures like requiring complex passwords, encrypting customer data at rest, and implementing secure network controls.
- False Compliance Claims: Verkada also falsely claimed its products were compliant with the Health Insurance Portability and Accountability Act (HIPAA) and the EU-U.S. and Swiss-U.S. Privacy Shield frameworks.
FTC’s Action and Verkada’s Response
The FTC’s proposed settlement requires Verkada to pay a $2.95 million civil penalty and implement a comprehensive security program. The program includes:
- Regular Security Assessments: Verkada must conduct regular security assessments by its own IT team and independent third parties.
- Security Safeguards: Verkada must implement and test security safeguards to protect customer data.
- Employee Training: Verkada must provide employee training on data security.
The settlement also prohibits Verkada from misrepresenting its privacy and security practices or compliance with standards like HIPAA and the Privacy Shield. Verkada must report any cybersecurity incidents to the FTC within 10 days of notifying another U.S. government entity. Finally, Verkada’s commercial emails must include unsubscribe options.
In a statement, Verkada acknowledged the settlement but did not agree with the FTC’s allegations.
Technical Details of the Cyberattacks
- Vulnerability Exploitation: The hackers exploited a vulnerability in Verkada’s customer support server to gain admin-level access to the Command platform. This vulnerability likely involved a web application flaw, such as SQL injection or a cross-site scripting (XSS) vulnerability.
- Mirai Botnet: The Mirai botnet, a type of malware that infects IoT devices, was used to launch DoS attacks against Verkada’s network. This attack leveraged a vulnerability in a legacy firmware build server, highlighting the importance of keeping software up-to-date and patching vulnerabilities promptly.
Lessons Learned for Businesses
Verkada’s case highlights the importance of robust cybersecurity measures for businesses, especially those handling sensitive data. Key takeaways include:
- Prioritize Security: Businesses must prioritize security across all their online platforms, including web pages, databases, and internal systems. This includes regularly assessing security vulnerabilities, implementing strong access controls, and staying up-to-date on the latest cybersecurity threats and best practices.
- Be Transparent: Businesses should be transparent with customers about their security practices and any data breaches that occur.
- Avoid Misleading Claims: Businesses should avoid making misleading claims about their security practices or compliance with industry standards.
By taking these steps, businesses can significantly reduce the risk of cyberattacks and protect their customers’ sensitive data.