The recent Verkada security breach should help move our industry in the right direction.
It’s not easy to make the business case for IoT Product Security. The effort is significant: the manufacturer needs to hire and train product security staff, and invest in improving product security, impacting cost in a market that often has razor-thin margins.
In stories from the field, the actual losses have been from damages to third parties.
The Mirai botnet attack hijacked IoT devices to create a DDOS network for hire. It did not affect the device vendors, or even their customers, directly. The Target attack that was carried out through the HVAC contractor’s systems was twice removed from the HVAC equipment vendor.
The Verkada attack, in contrast, gets the Product Security discussion closer to the business.
If you combine this with the recent Solarburst breaches that infiltrated SolarWind’s product development process and distributed software that included a third-party backdoor to many of SolarWinds’ 18000 customers, you get a clear call to action for Product Security process and tools improvement.
In light of all of these, the recent Verkada security breach should help move our industry in the right direction. Verkada had already started taking the right steps by investing in Product Security personnel, processes and product. Their marketing has focused on Product Security.
However, their security system was still breached by a hacker who exposed video feeds from many Verkada customers and claimed it could expose all of them. The hacker used administrator-level credentials that allowed access to ALL deployed cameras.
Verkada responded within 48 hours: better than the responses in many other breaches in recent years. We do not know publicly how they detected the breach, and whether the trigger was the hacker publication, but having a deterministic positive security system on the devices topped off by an anomaly detection system running on data from end-device communication would enable protection and even faster detection, and it would allow them to pinpoint the specific administrator account that was behaving irregularly.
If it can happen to Verkada, it can likely happen to many other vendors out there.
Given their existing security focus, this is Verkada’s opportunity to shine and to further improve their security, and especially their Product Security.
For all others, securing your camera software development process, verifying that no passwords or other secrets are hardcoded, and communicating and fixing any identified vulnerabilities, are still great advice.