A CSO’s perspective on the recent Verkada cyber attack

At Okta we are committed to ensuring the safety of our employees and workplaces. Nothing is more important to us than the trust of our employees, customers and partners. Transparency is one of our core values and in that spirit, I wanted to offer a reflection on the recent Verkada cyber attack. We partner with a number of cloud technology companies to achieve our holistic approach to security, and one of those companies is Verkada. It supplies us with cameras that we use in our office entrances in support of our physical security program.

This past Tuesday, a number of media outlets reported that Verkada was the victim of a cyber attack that resulted in access to their internal systems as well as to their customer accounts and the ability to view footage on connected cameras. A tweet from the attacker mentioned Okta as one of the customers they had accessed as part of this hack.

Image: Twitter

Let me be clear: the Okta service was not impacted. No Okta systems or networks were affected in any way. This attack only impacted 5 security cameras and did not impact any other systems at Okta. 

Okta has built a secure, reliable infrastructure in the cloud founded on Zero Trust principles that significantly reduces the risk to the Okta service caused by events like this. We take the concept of Zero Trust extremely seriously -- we live it and breathe it at Okta. As part of our threat modelling, we had already contemplated this scenario and implemented a number of protections to defend against it. All untrusted devices, such as those managed directly by third parties, are placed on an isolated network with strict controls to ensure that it is not possible for them to connect to any other part of the Okta network. By implementing a Zero Trust architecture, these devices cannot be used for lateral movement even if the third party or supplier responsible for the device is compromised, like in this case.

Within an hour of learning about the potential attack, we contacted Verkada and were made aware that they had already disabled all of the access that the attacker had obtained. After independently confirming that this was indeed the case, our internal response team began to determine what actions the attacker attempted to perform. From our analysis, the attacker used the Verkada tools to download six archived recordings from five different cameras. The attacker was present for only eight minutes of activity. An example image from one of the recordings is below that shows the entrance to one of our offices.

Image: View from a camera outside an Okta office entrance

Additionally, as part of public coverage of the hack, the attacker stated that they had obtained root shells inside the Okta corporate network. Verkada’s internal support tools provide access to a command prompt as a feature of the platform; therefore, no “hack” of Okta was performed to obtain this level of access. Screenshots have emerged online showing the attacker running basic commands on one of these prompts. We performed detailed analysis of the device logs jointly between Okta and Verkada and that analysis revealed no such actions were taken by the attacker on Okta owned devices. The only activity performed by the attacker in the 8-minute window was to download the archived footage taken of our office entrances.

Images showing the commands run inside a camera in a since-deleted tweet (no commands were run on our devices).

It’s important to learn from every security incident. First, it highlights the need to be ever-vigilant in thinking about cyber resilience in the face of new technologies. Effective threat modelling before, during, and after deployment ensures that if and when security incidents do happen, you are in the strongest position to defend against them. Most importantly, you can’t underestimate the importance of moving away from a traditional, perimeter-focussed security strategy and embracing Zero Trust architectures. This moment is yet another example of Zero Trust principles at work and the benefits couldn’t be more clear.

Timeline of Events (UTC)

2021-03-08 19:00 - Attacker accesses Verkada’s web management console impersonating an Okta administrator
2021-03-08 19:00 - 19:07 Attacker uses Verkada web console access to download 6 videos of archive footage
2021-03-09 23:57 - Attacker posts to Twitter stating that they had root shells on Okta’s corporate network
2021-03-10 01:20 - Okta mobilises cyber defense capability to respond to the alleged compromise and engages with Verkada and cyber defense partners
2021-03-10 04:46 - Okta receives log data from Verkada that provides evidence of the 6 instances of archive footage that were downloaded by the attacker
2021-03-10 10:00 - Okta security concludes that no attempts were made to move laterally from Verkada devices to other parts of Okta’s network
2021-03-10 22:31 - Okta receives confirmation and evidence from Verkada that no remote commands were executed on Okta’s Verkada devices by the attacker