Security at the core

Tormod Ree, March 11 2021
4 mins

Tormod Ree

Chief Executive Officer

On March 9th, a group of hackers gained access to live video feeds, recorded videos as well as Verkada customer data. The news broke first in Bloomberg, and Verkada later posted a security update on their website. 

According to Verkada, “The attack targeted a Jenkins server used by our support team to perform bulk maintenance operations on customer cameras, such as adjusting camera image settings upon customer request. We believe the attackers gained access to this server on March 7, 2021, and maintained access until approximately noon PST on March 9, 2021. In gaining access to the server, the attackers obtained credentials that allowed them to bypass our authorization system, including two-factor authentication.” 

There is also information circulating that the hacker group obtained access to so-called super-admin accounts and a password that gave them access to every customer account.

Secure from the ground up

We want to assure everyone that the methods used to compromise Verkada’s devices and infrastructure cannot be used against Ava Security

Ava does not employ the concept of a super-admin that can be used to access all customer systems. Ava Aware customers are fully in control of the creation and administration of accounts on their systems, and there are no backdoors or secret hidden accounts. Ava also does not use Jenkins, or any similar system, to bulk edit any deployments, nor does it have any backdoor into our customers' systems.

We designed our Deployment Management Portal (DMP) to allow Ava’s partners and the Ava Support team to help operate and support deployments. Command of whether this is enabled and what permissions are granted are controlled by the customer. Access by Ava Support is controlled by multi-factor authentication (MFA) and limited to specific individuals based on their role. Besides, all use of this mechanism is logged and audited.

Ava is a security-first company, with a strong product and security culture. We believe that to deliver an effective security solution, the system itself must be secure. Our company’s first offering in the market was Ava Reveal, a cybersecurity solution for data protection. We later broadened the offering to include Ava Aware, Ava Cameras, and the Ava Cloud Connector for video security and analytics. We have industry-leading portfolios and expertise in both video and cyber security, and share secure development models and expertise across domains to ensure all our products are secure from the ground up. While it is impossible to guarantee 100% security, we follow internationally recognized security standards and processes to minimize the risk.

The Ava approach to security

We realize that security incidents in our industry create uncertainty and that our customers and partners might have a lot of questions about security in general and our approach to security in particular. We will be as open and transparent about our process as possible. 

We developed the Ava video security solution to include security in all aspects of design and implementation:

  • We don’t have super administrator accounts that have access to all customer systems.
  • There are no hidden or backdoor accounts on either Ava Aware or Ava Aware Cloud.
  • Remote access is opt-in and limited in the scope of access by the customer.
  • Ava’s use of the Deployment Management Portal (DMP) is controlled via MFA and is logged.
  • At Ava, there aren’t any separate support team-managed servers used for updates or customer deployment tuning. All updates are managed and controlled by the core platform, which has all the security controls. 
  • All employees receive security training and detailed training on the handling and management of any customer data.
  • We have strong internal security controls and processes compliant with ISO 27001. Admins have role-based access, mandatory multi-factor authentication with physical tokens, and strong passwords. We also use a dedicated Red Team doing security testing, a Product Security Incident Response Team (PSIRT), and structured processes for handling security incidents.
  • All Ava Security staff are required to run the Ava Reveal Agent for data protection. This allows us to detect internal risks within Ava, ensure customer data is protected, and ensure our role-based access control policies are followed. 
  • We also require all staff to install industry-leading anti-malware defense controls and control software to restrict the accessing of files and information. 
  • We use a centralized asset inventory tool to track and manage all assets and ensure all machines are kept up to date with the latest security patches.
  • We use a Secure Development Environment with restricted access based on role. Source code changes are reviewed and audited. Deployments of source code are also monitored.
  • We employ a defined approach to classifying sensitive and non-sensitive information and policies defining means to handle access, internal, external, and electronic distribution, storage, and disposal/destruction.
  • All data is encrypted in transit and at rest. We use encrypted communication channels, such as HTTPS and TLS, for all communications between Ava Cameras, Ava Aware, and any viewer or administrator. These channels are all secured using certificates and private keys.
  • Exported video is encrypted with AES-256. Exported video and the accompanying metadata files are also digitally signed to verify that the video recordings and metadata have not been tampered with since being exported. Each video recording and metadata file in the exported archive has a hash created using the SHA-256 cryptographic hashing tool.
  • The Ava Camera hardware is based around an Ambarella processor. This processor has market-leading security and meets all of our security requirements. The Ambarella processor supports the Arm TrustZone technology to separate the secure cryptographic operations from the main application. Ava Cameras are also equipped with a Trusted Platform Module (TPM) to provide secure encryption key storage for each camera.
  • Our hardware has hand-picked components, and we have tight control over the manufacturing process.
  • As part of the manufacturing process, each device is pre-loaded with a digital certificate to prove its identity to other devices and the Ava Aware Cloud.
  • We operate on the principle of least privilege, and only a small number of staff responsible for cloud operations have platform layer access to our cloud infrastructure. This access itself is audited and requires multi-factor authentication, including strong passwords, physical tokens, and VPN access.

If you have any questions regarding our approach to privacy and security, please email us at sales@avasecurity.com at any time.

Detailed resources

Learn more about how we secure our video surveillance products. 

Download the white paper