Uber's God Mode. Hard-coded passwords in networking products. Rosenbridge processor backdoors. And now Verkada's super admin account that reportedly gave hackers — as well as more than 100 internal users — access to videos from tens of thousands of client cameras.
The list of massive security failures due to product or service architectures that give a single user or group unfettered privileges continues to grow. In the latest case, hackers gained access to a super admin account for the cloud service of security-camera startup Verkada, enabling them to view videos from nearly 150,000 cameras. Prisoners in county jails, factories for carmaker Tesla, and the offices of Internet-infrastructure firm Cloudflare were all viewable using privileged access, according to reports and hacker statements.
Accounts that have backdoor access to devices or unlimited service capabilities significantly undermine security — even more so as supply chain attacks have become more common, says Jeff Costlow, chief information security officer at ExtraHop, a cloud security firm.
"I'm OK with vendors having the ability to auto-update the device," he says. "That means they have control over the source code. But that doesn't mean that they have control over the device any time they want."
The massive breach of privacy of Verkada's customers highlights that companies — often, startups — have not always adopted best practices for privileged access to systems. The lesson is learned with regularity, often when a vendor's clients or customers have their security or privacy compromised.
A decade ago, for example, ride-share service Uber created a "God Mode" that gave administrators access to any Uber user's ride history
Support the originator by clicking the read the rest link below.
