Latest Security Update
December 10th - Update on Log4j Vulnerability CVE-2021-44228
CVE-2021-44228 is a vulnerability in Log4j, a Java logging framework. Generally, Verkada products and services do not utilize Java or specifically Log4j. We have found some infrastructure components we have that may use Log4j. The components we’ve found are not exposed to the internet, and we are preparing to further mitigate with patching or configuration changes. We will provide an update here if this information changes materially.
November 4th - Completed Successful SOC 2 Type 1 Audit
Verkada Customers and Partners,
One way to ensure our data protection efforts remain strong is by undergoing a SOC 2 Type 1 audit. Conducted by an independent auditor and developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 Type 1 compliance validates that Verkada is complying with industry standards in the design of its controls for handling customer data securely.
We’re happy to report that we have successfully completed our audit, conducted by the independent auditor “Coalfire Controls”. A copy of Verkada’s SOC 2 Type 1 attestation report is available to both current and prospective customers here.
Verkada’s SOC 2 report verifies that the controls that we have designed and implemented meet the requirements for the security principle set forth in the 2017 Trust Services Criteria for Security. The report provides an auditor’s opinion of how Verkada’s internal controls affect the security of the Command platform. We hold ourselves to a high standard when it comes to security and protecting our customers. When customers choose Verkada, we aim to provide peace of mind, not just from our security products, but with data protection as well. We hope today’s results are yet another reason why customers everywhere are choosing Verkada for their security needs.
September 13th - Security Update
Verkada Customers and Partners,
We want to inform you of a number of security-enhancing features we have released to help our customers have more visibility and control over how their Command platform is used.
Privacy & Security Checklist
As we expand the tools for Admins to manage the security and privacy of their Organizations, we have provided an easy tool to help them manage their settings in Command. The Privacy and Security Checklist highlights many of the most important security settings, such as enforcing two-factor authentication and setting up SSO, available within Command. We log each completed checklist in the customer’s audit log and allow for easy .pdf report creation for record keeping.
As an alternative to traditional password-based authentication, Command now allows users to authenticate via a secure, expiring link that can only be received through the user’s designated email. Two-factor or SSO requirements for authentication are still enforced with login links.
Audit Log API
We recently revamped our Audit Log to give admins a centralized view into all actions taken across their Command organization and added powerful search and filter capabilities. Building on that release, we have introduced API support for our Audit Log so that users can programmatically export logs into a third party SIEM of their choice. Customers now have the flexibility to view and slice the data in their own systems so that they can get the information they need from Verkada.
Additional Admin User Controls
We have also added controls that allow organization admins to manage a user’s authentication status. Admins can easily reset a user’s password or multi-factor authentication setup, as well as log the user out of all their active sessions, directly from the user’s profile in Command.
June 22nd - 100 Day Plan Update
Verkada Customers and Partners,
In the past few months following the March security incident, you — our customers and the Verkada community — have asked tough questions, provided helpful suggestions, and shown us patience and support. For that, we are extremely grateful. Today, we are sharing additional details regarding the projects we pursued over the 100 days after the incident as we redoubled our efforts to strengthen our systems and your trust in us.
Enhancing Risk Management with the Chertoff Group
On top of the enhancements already detailed on our security blog and listed below, we also are pleased to announce that we have partnered with the Chertoff Group, one of the premiere, internationally recognized consultancies in security and risk management advisory services. The Chertoff Group will work with us to further strengthen our security after the incident to help us to continue to build products that help our customers protect their people, assets, and privacy.
SOC 2 - Coalfire Assessment
We have engaged Coalfire to conduct a SOC 2 Type 1 assessment (which is already underway) to be followed by a SOC 2 - Type 2 examination.
Bug Bounty Program with Bugcrowd
We have launched our bug bounty program as a private bounty program, and have already paid out multiple rewards. We look forward to expanding this program in the coming months.
Additional Penetration Testing with NCC Group
We have engaged the NCC group to add to the breadth and frequency of our penetration testing.
We have assembled a council of Chief Information Security Officers from leading enterprises to engage in information-sharing on best practices and emerging threats. As the CISO of Verkada, I will be leading these CISO Council meetings.
Support Permission System (SPS)
On March 31st, we introduced SPS, a feature which requires customers to provide prior approval before the Verkada support team can access the customer’s on-prem Verkada equipment through a technical feature (a toggle) that provides explicit, just-in-time authorization. When SPS is enabled, its default setting limits customer-approved access to six hours, and even during that window, Verkada has no access to customer video, audio and images, unless that access is explicitly granted. In addition, we launched SPS notifications, alerting all customer admins when a SPS token is used by Verkada support staff to access a customer system.
Enhanced Audit Logs
We launched enhanced audit logging to provide our customers with greater transparency into the use and status of devices and accounts in their organizations. With a new consolidated interface to view all events across an organization, these enhanced logs will provide more visibility into all events happening within your organization.
Enhanced Multifactor Authentication
Access to Verkada’s production cloud service provider, AWS, already requires multi-factor authentication, and now it requires a hardware key as one of the factors.
Configuration and Change Management
Verkada has adopted Terraform for its configuration and change management, and we will be using Terraform Cloud Sentinel to reduce the risk of security vulnerabilities in AWS security configurations.
Customer Managed Encryption Keys (CMEK)
For customers with large security engineering teams that are accustomed to managing keys across the Enterprise, we are developing customer managed encryption keys (CMEK). CMEK is designed to give customers more visibility and control over how their data is being accessed and allow them to manage their encryption consistently across all their cloud-based applications. Verkada is developing this with key customer input and is reviewing the security design with 3rd party experts.
May 14th - Security Update
To our customers,
Two months ago, following a cyber incident, I launched a weekly webinar to address your questions and hear your concerns. These weekly forums helped provide timely updates, outline changes, and solicit your input and ideas for how we can improve our products and strengthen our security.
Due to decreased attendance, we have decided to discontinue these weekly webinars; however, we will continue to provide you relevant updates as appropriate. In addition, you may contact our security team at (650) 514-2500 or [email protected] if you have any questions. Thank you for your participation in the weekly webinars and your continued interest in Verkada.
April 26th - Security Update
Verkada Customers and Partners,
We’re writing to let you know that Mandiant — the external firm hired to conduct an independent review of our March 9th security incident — has concluded its investigation and confirmed that its findings are consistent with those from our own internal investigation. You can download the letter here.
As we previously shared, all affected customers were notified of this attack. You can read more about our internal investigation here, which was released on April 7 and updated on April 23.
With both these security reviews complete, our focus is now on the remainder of our 100 day plan to strengthen the safeguards in our products. This includes strengthening our governance programs and ensuring strong checks and balances in our security program, including:
Establishing a Security and Privacy Governance Committee that includes members of our executive team, including the CISO;
Providing quarterly updates from the CISO on our security and privacy programs to the board of directors;
Setting up a compliance program that builds towards a SOC2 examination and report;
Creating a Customer CISO Council to advise us on best practices for security procedures and protocols;
Launching our bug bounty program to incentivize engineers and security researchers to find, report, and help address malware and vulnerabilities associated with any of our software;
Conducting enhanced penetration testing; and
Improving change and configuration management.
We will continue to provide relevant updates regarding the progress on these steps.
April 7th - Security Update (updated April 23rd)
Please find a copy of the March 9th, 2021 security incident report by clicking here.
March 31st - Security Update
Verkada Customers –
We are writing to let you know that Verkada has concluded its own review of the security incident. While we wait for the final report from our outside forensic firm, Mandiant, we want to update you on our findings thus far.
Our review determined that 95 customers had video security and image data accessed by the attackers. In total this represents less than two percent of our approximately 6,000 customer population. This is in addition to the data we previously disclosed on March 10th. We have confidence that this reflects the full scope of the attacker’s access to any customer video and images.
Our review also confirmed that there was no compromise of user passwords or password hashes, or Verkada’s internal network, financial systems or other business systems. After additional review, we can confirm that the list of information that attackers accessed, as reported in our March 10 update, is accurate.
Verkada has already contacted the impacted customers, and today we are reaching out to provide updated details of our internal findings about how attackers accessed their systems. If you have not been contacted, your system was not accessed by the attackers.
Thank you for your patience as we worked to determine the full scope of the attack. As we await Mandiant’s findings, we will continue to move forward with the work outlined in our 100-day plan – identifying and implementing additional security measures and policies to protect Verkada’s systems. We will update you as that work continues.
Finally, today, we released a new customer tool – Support Permission System (SPS) – which gives customers direct control and increased security regarding technical support they receive from Verkada. This is the first step in the development and improvement of tools and permissions that will ensure we can appropriately and effectively balance our delivery of customer support with the privacy and security of customer data as our company continues to grow. Read more about this tool here.
March 19th - Security Update
As we continue to talk to our customers, we want to provide an update and respond to questions we have received.
Addressing Your Concerns
On March 17th, Verkada co-founder and CEO Filip Kaliszan held the first of the customer webinars we announced last week to address customer questions or concerns. The next webinar will take place on Wednesday at 11am PST; you can register here.
Investigation into the Attack
We have heard from customers who want to understand the full scope of the attack. We have contacted each of the small subset of our customers whose accounts were illegally accessed, and we will continue that outreach as necessary, as our investigation continues. To be clear: if you have not been contacted, then we have no evidence thus far indicating there was unauthorized access by the attackers to your organization’s image or video data.
Firmware Integrity Checks
As part of our ongoing security review and as an additional safeguard, we are implementing new firmware integrity checks. While we routinely keep our firmware up to date to keep it secure–and to date have found no evidence suggesting that Verkada firmware has been tampered with–we have proactively decided to add this additional layer of security.
Verkada will be running a firmware integrity check periodically on all cameras to ensure there hasn’t been any tampering with our firmware. If a camera were to fail an automated check, our security team would be notified immediately and you will be contacted.
This feature is now enabled for all cameras and, in the coming weeks, the results of each firmware integrity check will be available in the customer-facing Command UI.
March 15, 2021 Security Blog Post
As part of our ongoing investigation, we have notified customers whose Verkada systems were accessed by the attackers.
If you have not been contacted, we want to let you know that currently available evidence shows no access to your organization’s image or video data by the attackers.
It is important to note that our investigation remains ongoing and we have engaged a third party firm, Mandiant, to conduct their own investigation. If we discover that your organization’s image or video data was accessed, we will notify you promptly.
March 12th - A note from our CEO, Filip Kaliszan.
To our customers,
We founded Verkada five years ago to build the world’s safest and most sophisticated physical security systems. We saw shortcomings in the market and inefficiencies in how companies were trying to address their security concerns. We believed we could find the solution in better software, and we set out to build a system that would be easy to use, highly scalable, and fully secure out of the box.
From the beginning, we understood that video surveillance is a powerful tool and that privacy controls for our customers, their employees, and their clients would be paramount. That is exactly why we structured our business to give full data ownership to our customers and laid out a clear privacy framework. We have always aimed to strike the right balance between ensuring full control for our customers and maintaining just enough access to provide the best product and customer support.
But as the attack earlier this week showed, we fell short of our goals for ourselves and your expectations for us. We promised that you would have control, and this incident has shown us that we have failed to keep that promise – we are deeply sorry.
As co-founder and CEO, I want to assure you that everyone at Verkada is committed to keeping our promise. To do that, we have developed a plan to guide our work over the next 100 days–and beyond–as we redouble our efforts to strengthen the safeguards in our products and earn back your trust. And we have already started – here are some of the things we are doing right now:
REFOCUSING OUR ENGINEERS – I have redirected our engineering team to make security, trust and privacy, their number one priority, effective immediately. We are also prioritizing the hiring of security engineers ahead of other technical roles.
ENGINEERING SWAT TEAM – I am working with my senior team to identify a core group of engineers who can lead our work addressing any questions pertaining to privacy and security. I will meet weekly with this team, whose work will be directed by Kyle Randolph, Verkada CISO. Our goal is to work together to maintain and rebuild your trust, and to reinforce that our system is created to put and keep your data in your hands.
ENGAGING THIRD-PARTY EXPERTS – We have engaged Mandiant and Perkins Coie to conduct a comprehensive review of the security of our systems, so we can better understand any issues and work to resolve them. Additionally we are considering partnerships with other third party firms & experts that can help with a comprehensive review of our systems.
WEEKLY CUSTOMER WEBINARS – Starting at 11:00am on Wednesday March 17th, I will host weekly webinars to listen to customers and get a sense of your concerns while helping you identify and implement the best security practices for your systems.
The Next 100 Days
In addition to what we have already started, here is what we are looking to do over the next 100 days:
ACCESS TRANSPARENCY – While we already have robust logging and audit capabilities, we will ensure that customers receive proactive notifications whenever their data is accessed by Verkada, including by our technical staff.
GOVERNANCE PROGRAM – Establish strong checks and balances on our security program, including:
Security and Privacy Governance Committee including members of our executive team and CISO to review the progress on improving Verkada’s security program
Quarterly update by our CISO to the board of directors on the state of our security and privacy programs
Establish a compliance program building on our history of independent audits and progress towards a SOC 2 examination and report
CUSTOMER CISO COUNCIL – Kyle Randolph, Verkada’s CISO, will create and lead a group of CISOs to advise Verkada on security procedures and protocols.
REVIEWING OUR INTERNAL ACCESS MANAGEMENT – We will review our policies and procedures and identify new ways to strengthen our existing controls and add new levels of security, while identifying new ways to better practice the principle of least privilege, manage access privileges and to secure our system.
CUSTOMER DATA GOVERNANCE TOOLS – We will build new capabilities to give you better visibility into how your data, account information and audit logs are protected, stored, accessed, retained, deleted and exported.
LAUNCHING A BUG BOUNTY PROGRAM – We will launch a bug bounty program to incentivize engineers and security researchers to find, report and help resolve issues – strengthening our platform to prevent future issues.
ENHANCED PENETRATION TESTING – While external firms and Verkada engineers have conducted penetration tests for years, we will increase both the number and scope of these penetration testing efforts.
CHANGE AND CONFIGURATION MANAGEMENT - Reduce the potential for vulnerabilities to be introduced by continuing our adoption of configuration-as-code, automated testing, and separation of duty.
Lastly, I wanted to thank you for your partnership and look forward to engaging with you on the security and privacy work we have outlined above. We will continue to update you on this page and I encourage you to continue asking questions and providing us with feedback on what we can do better.
March 10, 2021
To Our Verkada Customers –
Yesterday, we contacted you after learning that Verkada’s system was accessed by attackers. We want to share an update on the security of our system, the status of our investigation, and the steps we are taking to ensure the protection of our system and our customers.
First, we have identified the attack vector used in this incident, and we are confident that all customer systems were secured as of approximately noon PST on March 9, 2021. If you are a Verkada customer, no action is required on your part.
The attack targeted a Jenkins server used by our support team to perform bulk maintenance operations on customer cameras, such as adjusting camera image settings upon customer request. We believe the attackers gained access to this server on March 7, 2021 and maintained access until approximately noon PST on March 9, 2021. In gaining access to the server, the attackers obtained credentials that allowed them to bypass our authorization system, including two-factor authentication.
We are continuing to investigate the incident, and we are contacting all affected customers. At this point, we have confirmed that the attackers obtained the following:
Video and image data from a limited number of cameras from a subset of client organizations
A list of our client account administrators, including names and email addresses. This list did not include passwords or password hashes.
A list of Verkada sales orders. Sales order information is used by our Command system to maintain the license state of our customers. This information was obtained from our Command system and not from other Verkada business systems.
At this time, we have no evidence that the breach compromised the following:
User passwords or password hashes
Verkada’s internal network, financial systems, or other business systems
We can also confirm that the attackers gained access to a tool that allowed the execution of shell commands on a subset of customer cameras; however we have no evidence at this time that this access was used maliciously against our customers’ networks. All shell commands issued through our internal tool were logged.
In addition to our internal response team, we have retained two external firms, Mandiant Solutions and Perkins Coie, to conduct a thorough review of the root cause of this attack and support our efforts to ensure internal security. We also notified the FBI, who are assisting us in this investigation.
I want to thank you all for your support. We will continue to share updates with you as our investigation proceeds. Please reach out to us if you have any additional questions.
March 9, 2021
Dear Verkada Customers,
This morning we were made aware of a potential security incident involving unauthorized access of some of our products. Our internal security experts are actively investigating the matter.
Out of an abundance of caution, we have implemented additional security measures to restrict account access and further protect our customers.
We take the security of our products and our users very seriously, and we are committed to keeping you informed as we gather more information.