IoT and Cloud solution, a security problem
Geraint Williams
CISO @ Modern Networks - Protecting Modern Networks and its clients. Franchise Owner @ Going Digital East Anglia · Part-time photography and coach
It has been announced that Verkada have been hacked and over 150,000 cameras compromised. For me this was a perfect example of the problem that I have been discussing in how the IoT can be secured especially when it is being used in conjunction with cloud services instead of a total on premise solution.
Verkada provide a service that links cameras, access control and sensors together with a cloud platform to provide a CCTV/Access Control as a Service. Data is stored from the sensors and cameras in the cloud and software can track people of interest, identify foot fall and traffic patterns of people as well as providing search functions such as looking for a particular car type in a garage. This hybrid approach of IoT sensors in the physical world combined with computational intensive software in the cloud will help solve many problems as IoT devices themselves often have low computational resources within the themselves. With its solution Verkada proudly boasts no onsite recorders or servers for its clients, some of those clients may now be wishing they had a self-contained system, as the client list includes schools, prisons, police stations and even Tesla.
From what has been released it looks like an internal account at Verkada was compromised giving attackers access to the archived data. A classic supplier breach for the end client whose videos have been affected. This incident demonstrates nicely the difficult of choosing an solution that is either on premise or in the cloud and providing a “Anything as a Service”. Either approach can be secured or be equal insecure, how with third parties involved it can make the attack surface area larger and more complex to secure. Due diligence can only go so far in providing assurance of security for something you don't have total control over. If you are unable to carry out internal audits of the supplier to ensure they are doing what they have said in a questionnaire there is always that element of the unknown. Selecting suppliers who have audited accreditations to known standards such as ISO27001, SOC2 etc. can help overcome the inability to carry out audits but you still reliant on the supplier operating as they have declared that they do on a continuous basis and not doing so only during the audit season.
To me it highlight the importance of following the requirements of GDPR (or the UK GDPR now) when dealing with personal data and the implementation of two core principles for securing systems..
- Build security in by Design
- Implement Privacy by Default.
Building security and privacy in the design phase of the project is the most cost effective approach securing a product, it is very difficult to secure a system and ensure privacy once it has reached the production stage. The problem with building security and privacy in at the start is that it requires the necessary experts on board and for many start-ups they don't have the expertise or the experience to know it is at the beginning of the project it is best to consider these issues.