This week, AZ Family News reported “Security cameras at Tempe hospital, Graham County detention center allegedly hacked in huge breach,” detailing a potential security breach at St. Luke’s Hospital in Tempe, AZ. The article cited startup Verkada Inc., which produced the security cameras for St. Luke’s, explaining how hackers are able to target and access these systems.
Aaron Jones, UAT Lead Cyber Instructor and leader in the local cyber community, commented on this story as well as how it is possible for hackers to infiltrate systems such as these.
“The hackers claimed to have accessed data and live feeds from 150,000 cameras used by Verkada clients, including big names like Tesla and software company Cloudflare. St. Luke's Hospital in www.azfamily.com.
Ubiquitous surveillance is a double-edged sword, and while cameras have been instrumental in solving crimes and locating missing person, their use can also be a severe blow to privacy. The current "attack" perpetrated by an alleged collective of individuals is another strong indicator that some basic security practices are not being followed.
Of note is mention that administrator access was gained through the use of credentials found on the internet. This is a strong indicator that two-factor authentication was not in place and therefore, someone’s admin account, once breached, was the only piece of protection between the outside world and their most private files.
It also would be indicative that if true that only a single set of credentials were used, that it is possible, that the admin was reusing credentials in multiple places. Another thing we certainly would not want to do.
Companies who have had their data accessed are still victims, even if a third party was the ultimate culprit. We have seen this targeting of third-party providers in many breaches, such as the famous Target breach, and it is a concern that we should always keep in the back of our minds. We can do much to secure our own systems, but what are our partners doing to secure theirs?
We should expect that any piece of infrastructure left online could be of interest to someone with ill intent. Cameras are a very easy target and due to their very nature, will often contain plenty of entertaining or interesting data. I believe this "breach" is an excellent reminder of how important it is to follow basic security practices, such as not reusing credentials, implementing two factor authentication, and working with your vendors to verify that they are following industry standard practices in cyber security.”
More about Aaron:Aaron Jones, the lead Cyber Instructor at the University of Advancing Technology, is a softwaredeveloper who currently creates applications for law enforcement. He is also an AZ POST certified General Instructor as well as a public speaker. He earned a B.Sc., in Computer Information Systems from Park University in 2013 and an M.A., in Intelligence Analysis with a focus in Cyber Security in 2014. He has been the recipient of recognition from the El Paso Police Department, State of Texas, Texas Military Forces, Chandler Police Department, and others.
Interested in studying cyber security?
Sponsored by the U.S. National Security Agency and Homeland Security Department, University of Advancing Technology’s ethical hacking degree is highly regarded by industry and government entities. UAT’s Network Security Bachelor of Science degree prepares students to take on the ever-evolving world of information security. Network security students will receive hands-on technical training and learn best of class software and network programming and essential network security analysis.