Hacker News new | ask | show | jobs
by cxcorp 1934 days ago
> The hackers’ methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet.

So you're telling me that the interface that grants you access to ALL of your customers' (including hospitals and schools) data and shells to the cameras doesn't even require 2FA? W...w-what?
3 comments
Snawoot 1934 days ago
Year ago I've published full disclosure on similar case with Chinese IP cameras, DVRs and NVRs: https://habr.com/en/post/486856/

Interesting thing is super-user account was discovered earlier, but vendor swept it under the rug few times, adding trivial obstacles on each occasion. My article describes latest case, breaking encrypted challenge based on hard-coded secret key and homegrown 3DES variant.

link
wrs 1934 days ago
Why does an account with that capability even exist in the first place? And if it does exist, how does unexpected use of it not set off alarms?
link
Psychlist 1934 days ago
Often it's more that it is hard to avoid having that account. And management don't see the point in making it so that they need to get two underlings working together to jump through hoops to trace through the whole stack and work out why the camera monitoring the Very Important Customer's executive liquor cabinet was offline when persons unknown emptied it.

For small companies often "devops" is one person, sometimes even one person who also does other stuff. I like to think I've made it difficult for that specific person to get complete control of any specific device that we've sold, but I'm also aware that it takes one bug in one of those devices to undo anything I can do on the server side. All they need to do is get the public IP from my system (which is needed right down to customer service level), knowledge of a bug and bingo... they have control. Especially if the bug is "customer chose an obvious password" .

link
mylons 1934 days ago
Everyone underestimates how lazy people really are
link