Rogue ADT tech spied on hundreds of customers in their homes via CCTV – including me, says teen girl A technician at ADT remotely accessed hundreds of customers' CCTV cameras to spy on people in their own homes, the burglar-alarm biz has admitted. At least one of the victims was a teenage girl, and another a young mother, according to court filings. Last month, an ADT customer in Dallas, Texas, spotted and reported an …
Wow! What a creep. It does point to a certain laxity on the part of ADT in the first place to ensure that any unauthorised access was not possible.
From the article, it mentioned they were going to remove the unauthorised email address via a software update, that seems to indicate that access may still be possible by other means.
Perhaps they should consider a full security audit on their kit?
"From the article, it mentioned they were going to remove the unauthorised email address via a software update, that seems to indicate that access may still be possible by other means."
They were going to remove the ability to access the service mode via an update. It was this that allowed the perv to enter his e-mail in the field.
Right. Absolutely true. Just like White Star Lines failed to put enough lifeboats for all passengers.
ADT is guilty of trusting its employees. A harsh lesson, and one that will bring down a raft of restrictions and technical difficulties that will indeed make it impossible in the future to do such things as spy on an underage girl. And that is undoubtedly a good thing. However, given that ADT threw the book at the guy and delivered him to the police, and pledged to do what was necessary to keep this from ever happening again, I do not see that that ADT should shoulder all the blame.
Honestly, the technician was there to install the system. He has authority to define the email addresses that have access. Internal procedures already forbade any unrecognized manipulations, what more do you want ? The creep cheated. The system is not at fault.
Now, ADT is going to have to modify the installation procedure to ensure that the technician has a list of approved email addresses, shows them to the customer and gets a signed approval, in order to ensure that this does not happen again. Because of one asshole, countless time and money will be employed to get customer approval of every address added to the system.
That's exactly why we need laws : because of the 0.0001% of assholes who ruin everything for everyone.
I would agree that ADT should not shoulder all the blame - but they are jointly responsible.
On the good side, they collected logs and were able to trace the issue. However on the bad side, it took a customer to monitor the logs and alert them to the problem. Why were ADT not monitoring the logs? probably because it costs time and money - so almost certainly somebody in ADT made this trade-off that they did not want to pay this work to be done.
Yes, you have to delegate control to employees and give them the ability to do their job, but every company is responsible for ensuring monitoring is not only in place but also regularly audited.
How would ADT monitor logs? Checking bob@adt.com doesn't have access is one thing (though of course bob might own the house); but there is no way to tell bob@hotmail.com is not genuine.
Even cross referencing all the log on lists is impractical - corporate sites will have many identical users, security companies many have legitimate access across many sites, even someone owning multiple properties.
The only thing ADT can realistically do is make sure owners check who has access to their systems and possibly enforce an audit every 6 months (which would piss off most users)
You dont have scripts or triggers for certain accounts accessing many systems? You dont have audit logs checking multiple account logins to multiple consoles? How about access audit logs for security and admin rights?
How would you spot rogue admin accounts on your systems?
ADT is a security company failing at security. Pretty shit job.
but they are jointly responsible.
But they are wholly responsible for allowing it to happen in the first place and not having protocols to prevent and detect abuse of their system, for that alone they should burn.
But this is in the USA so it'll drag on for years, the 220 families will get a token payment and a "truly sincere" apology while the lawyers will get new yachts.
"But they are wholly responsible for allowing it to happen in the first place and not having protocols to prevent and detect abuse of their system, for that alone they should burn."
Is the correct answer. This is evidence of shocking levels of not caring about security by ADT. It's negligence. As to "How would ADT monitor logs? " raised by someone else. That's what a SIEM is for, although monitoring logs is hardly a taxing task. Config changes should be reported to ADT/the customer.
This incident is evidence that ADT was saving cash by skimping responsibility.
DJO, any ADT technician onsite will need to be able to access the system, and there has to be a way for the residence owner to add or remove people, so all it takes is one rogue ADT tech breaking the rules when servicing the kit and you think the whole company should go down?
If one of your relatives or friends broke the law but you didn't, should you be punished for it too? (Ignoring the offences of being an "accessory before, during or after" and of "aiding and abetting" by not reporting it, of which you would be guilty).
so all it takes is one rogue ADT tech breaking the rules
No, all it takes is ADT to design a system where abuse is both possible and able to remain undetected.
Yes you are going to get "bad players" but surely we all know that, you know that, I know that, ADT know that so it is inexcusable for them not to have taken that into account when designing their systems.
Or perhaps the admin access is logged centrally so that ADT could contact the admins if necessary. Pretty fucking obvious if the same email turns up on many systems. Maybe the principal account holder needs to auth the additional admin manually. Perhaps the system periodically emails the principal with a list of what it has done etc.
The problem is, how does ADT know the difference between a mail address the customer entered or an email address that was entered by an employee when visiting the customer? I assume it was private email address, so probably wouldn't have been suspicious in a log, on its own - just another gmail address, for example.
If their system checked for the same address on multiple accounts, it might work - unless he created a different address for each account he compromised...
I agree ADT has some fault here, but no matter how hard you make it, somebody will come up with a way around your precautions.
This is why there is a legal definition of due dilligence
they dont have to make it impossible, they just have to make it unfeasably difficult or easily spotted and terminated.
the least the system could do is check a new email address is on other accounts, check admin access by geo-location and or use behaviour analytics on access. It needs no human intervention and cost are resonable comapred to the cost of running the system
"The creep cheated. The system is not at fault."
I beg to differ. I'll bet you a pony that ADT has procedures in place that prevent people in accounts payable from writing themselves a check for 6 figures. I doubt any employee or even an executive has sole authority to access an unusually large sum of money.
Tech installs and configures the system and a random supervisor logs in and checks the configuration remotely when it's complete. Any anomalies in standards are called out immediately. Any indication the tech is installing a backdoor is met with a dismissal.
It's not hard to create a system with checks and balances. Only the will to do it is lacking.
Creepy peeper.
Although as a parent (or more generally, a person who tries to think things through) I think I would push back on cameras in bedrooms/bathrooms regardless.
And yes, the key thing about systems is that the owner should be notified when new accounts are added, maybe get a monthly report of users on the system, and more. Full audit trails of every configuration option too. I don't know if ADT have centralised access to accounts or if they're managed within the home only - but duplicate email addresses on multiple home installs could be flagged and investigated as well. I.e., basic business reports could have found this issue far earlier, but nobody thought that an employee would actually be tempted by the thought of some sneaky voyeurism?
This is the reason I have never connected my wifi camera to the internet. Mine is a swivel and pan job. I went to a major retailer of electrical goods which Hugh Dennis may do the voiceovers on their advertising. I asked the sales associate for a wifi camera that had swivel and tilt that didn't require an internet connection. I explained that I wanted to use it whilst at home to see when I was getting a delivery. He showed me one brand I knew did require access and didn't have swivel and tilt. I pointed this out and we looked at others all of which required the internet and in some cases a cloud storage subscription.
After rejecting all of them the bloke says l'll need the internet so he can't see why I'm rejecting all these cameras. I said I specifically didn't want that and in a testy voice asked why I'd "need" it. How else would I be able to see it when out? I won't is my reply but then neither will anyone else.
I can see that some people living in a single story home where all ground floor windows might be seen as a possible point of entry b y a criminal might go for a system like that. But even then, I'd be wary about when the cameras might be "live" and what they may record, where the images are stored and who might have access to those recordings. I suspect that it's "security consultants", ie sales people up-selling a system with more cameras than necessary.
Personally I'd go with outside cameras set up so that the alarm is triggered if the camera faults or disappears from the system. Or maybe no cameras, just proper perimeter detection triggering alarms and lights.
"I can see that some people living in a single story home where all ground floor windows might be seen as a possible point of entry b y a criminal might go for a system like that."
I live in a three storey house. It still has ground floor windows. Do criminals just give up with trying to get in through a ground floor window if the house isn't a bungalow?
"I live in a three storey house. It still has ground floor windows. Do criminals just give up with trying to get in through a ground floor window if the house isn't a bungalow?"
Of course not. I was making a point about ground floor bedrooms and therefore why someone might want a security camera in a bedroom. If you are in a flat or apartment solely on the ground floor of your three storey house, then yes, this may still apply to you. I didn't specify a bungalow, I just specified an entirely ground floor dwelling. For the argument I was making, it was irrelevant if anyone was living on a floor above the ground floor dwelling.
I suspect the salesman was bonused on the number of cameras installed / size of deal, so if they can persuade them that cameras in the bedrooms are 1) Safe 2) A good idea then they'll sell more cameras and make more money.
Only way to stop that is ADP having a corporate "No cameras in bedrooms FFS" policy, and even then the sales people will be grumpy about getting in the way of their ability to sell...
Yup. Seriously – I would not put a camera in my bedroom and then expect nobody to see the footage. I mean, even if it were used to solve a break-in or something, someone would have to go through all the other footage to find the pertinent bit, which would inevitably include things I'd really rather people did not see. CCTV has no place in bedrooms at all. They don't even do that in prisons, FFS.
Yes I have CCTV at home and I can add a further 17 network cameras and 6 physical cameras onto it. But as good as the system is, I have it behind my firewall, running off a box I trust and can review access to at any time.
Also, if I was ever going to add any cameras inside the house, they'd be on the ground floor or at worst, the stairs pointing down them. Never in any of our bedrooms. What goes on in there needs never be recorded... (Well except for that one video... But that's besides the point).
As tragic as this is it could have been avoided if the temptation wasn't there due to cameras in private locations.
That doesn't however remove that ADT allowed this to happen. Human weakness will always bring down these high ideals.
It's already available, with the rest of the junk stolen from the unaware. You can usually access it for yourself at IP address 127.0.0.1 ...
Oh wow! Now I don't have to do backups anymore, all my stuff is saved on the cloud! I can clear up extra files too, since I can always re-download them from there...
Almost every single camera manufacturer offers a non-cloudy offering;
- Geovision/Hikvision (Taiwanese/Chinese.. make of that what you will)
- Dahua (Also Chinese.. see above)
- Axis (Swedish - Very expensive and poor value for money)
- Samsung / Hanwha-Techwin - (South Korean - Moderately expensive)
- Bosch - (German - Insanely overpriced and I believe some of their units are actually made in China now anyway)
- Mobotix - (German - Horrifically expensive, pro-grade kit)
The others are almost all rebranded kit. All of the above come with local recorder solutions which you don't have to even supply an internet connection to. Some have cloud options but again, you don't have to use them :-)
It's a Hikvision one. Originally designed for commercial properties along with our house alarm (I've seen a number of different small businesses use the same system).
With regards to configuration I've monitored it's network traffic through wireshark and I've not seen anything I wasn't expecting from it.
With regards to streaming externally, I've configured a DDNS host, changed the port numbers and stuck a stupidly long password for the externally available account (viewing only, no further control to the system). It's also got a blacklist for failed access attempts.
Long term I might move to running it over an SSH tunnel for that added level of security but I've not seen enough attempts to warrant going that far yet.
Anon.
Also for the record HIKvision open sourced a number of systems' firmware since 2017 - so if you've got the time and inclination you can have a nosy through that for nefarious Chinese/Russian/Iranian/North Korean/American/Bogey man du jour code that shouldn't be there.
Ubiquiti cameras are absolutely piss-poor in almost every conceivable notion. Value for money, quality, interopability (No ONVIF!), you name it - Their networking kit is ace, but their CCTV stuff belongs in the same place as their equally pathetic VoIP phone escapade they briefly embarked on and that's in the bin.
They roll the dice on external security Services vs developing and administratoring in their own.... now they're upset that a piece of paper and a company namedl did not protect them from basic realities. When you outsource you lose control and are completely at the mercy of whatever underpaid disgruntled workers the contracted company managed to retain.
the only people that should ever have physical access or be involved with the installation operation of your security system is you and the other occupants of the house.
If you need to access your remote camera feeds, use a VPN gateway.
If There's cameras in the bedroom then you can be pretty sure the dad is watching his daughter masturbate.
Calling ADT a security company is a bit rich, in the UK anyway. They now consist of a massive network of 'franchised' self-employed contractors. I've seen some of their work and quite frankly, it's ridiculous.
- Internal grade CAT5 cheap-ass CCA ran over a factory roof, split wide open after less than 2 years and filled with water which killed all the cameras.
- Daisy chaining power supplies together with jelly crimps, chocolate blocks,
- CCTV DC12v power fed from a butchered 12V charger for a childs electric toy car, cellotaped and chocolate blocked to feed 4 cameras...
- WD Green hard drives installed in a CCTV NVR/DVR...
The list goes on, I've had multiple encounters with ADT's CCTV division and they are borderline dangerous at times. I don't know what their alarm side are like, but I'm not sure I'd entrust my home security to them based on prior dealings..
As companies that are supposed to install a SECURITY system, always end up having shit security.
The CCTV installers we used at work set up all the remote cameras with the same, easy to brute force passwords, and never bothered to switch on https. So all cameras, for years, were publicly available to the world if you knew the IP addresses. Until I joined and spotted it and suggested we may want to lock them all down.
Then you have the local alarm company that put the alarm in my house before I bought it. Who's website is so poor, I'm shocked they are still in business. Half http, bits in https. Links to broken pages. Links to dead domains. One domain I purchased and redirected to my site instead.
Speaking of that last bit you also have CCTV installers that go bust. So the sign on a beach on the Isle Of Wight that states there are CCTV cameras watching that area (there isn't). The domain address on the sign was now dead as the company had gone bust. So again, for the fun of it and in case someone ever looks that address up like I did. It redirects to my website :)
“This type of access could only occur because ADT failed to implement adequate procedures that would prevent non-household members from adding non-household email addresses,”
And just how would adt or anyone be able to define household email addresses??? Sure you could write them on order form but you would always need the ability to change or add them. Is this so different from net connected baby monitors running default passwords and not just annother case of people having to face up to the need admin any net connected device they add to their home??
While I have sympathy for the victims in so much that it happened, its just another I.D.I.o.T* leak just a particularly sleezy one. While the alarms were probably phone home to base station monitored verities, the owners if not adt should audit the defaults and at the very least change the admin password. If it was a cloudy portal then adt really should force account reviews every month at login, literally login confirm n number of people should have access to cams locks etc. No different to how access to key safes is conducted.
*Insecure Defaults on IoT
... in rural CCTV systems: watching your barns, horses, etc. First thing I tell any potential clients: any system that gives you the convenience of seeing your camera feed over the internet is - unless we are going to lot more money (and still no guarantees) - going to be visible to at least someone over the internet. You need to double check the frame of all fixed cameras and perhaps even put physical shields on PTZ cameras to ensure they can't see sensitive areas even if they can be moved remotely.
Of course, most horses aren't that bothered about cameras (until one girl got enthusiastic and tried to remotely talk to her horse via the camera speaker!) but it's not unusual for a time-pressed groom to piss in the straw they're just about to take to the muck heap, rather than trek to the nearest toilet. Most of them couldn't give two hoots whether you see them or not, but you've got to make sure they know the cameras are there. (Of course I also have to explain to the stable owners/managers that such cameras absolutely may not be used to check on the work of one's staff).
While populists are quick to call for corporal punishment, even the death sentence, when some perv abuses a minor; nobody calls for similar measures for businesses.
Why can't we sentence bad corporations to be mandatorily retired, i.e. all business' assets are sold off, the business goes out of existence.
After all, it took millenia of cruel, draconian punishment for us humans, to prevent us from killing each other.
Imagine all the shareholders of Equifax having their stocks dissolved by court order. *Poof* money gone. That will teach them making actual security a priority over fast profit.
You dont need to kill the companies, you simply need to hold the company's Board and entire C-Suite responsible. If the CEO knows that he will go to Prison for his firm committing a crime (rather than just the firm paying some sort of fine), then he will make sure the firm does NOT commit a crime.
When people are held personally responsible, they tend to be much more willing to sacrifice immediate profits to stay on the right side of the law.
In this case it's difficult to see what more the company could do.
When the system is installed on site the installation tech 'helps' a customer enter their account details, and also entered his own.
Other than having a 2nd installer oversee the first, and another inspector inspecting that inspector....
They could send a message to the customer listing all the accounts but would a non technical customer notice if the tech was at all smart about picking a name?
When CCTV started to blossom on every street and public building I was working testing the systems post-installation. The software had an option to store camera presets so that the operator could quickly return the camera to its "Home position" or have alternative PTZ settings for "known hotspots". In the first year it was obvious that some operators had added their own presets for bedroom windows, public lavatories etc. All of them dismissed from their jobs. One was weird, it zoomed in on a random garden. It turned out to be that of the next-door neighbour of the operator. There was a long-standing feud between operator and neighbour so she was using the CCTV to watch what her neighbour got up while she was at work. After that she had lots of time at home to watch her neighbour the traditional way, through the curtains.
There are a number of posts focussing on the sexual aspects of monitoring bedrooms (and bathrooms). Can I respectfully suggest a couple of reasons:
(1) You have young children and wish to monitor the baby sitter to detect any form of mistreatment.
(2) You have an aged and/or disabled and/or vulnerable member of the household who requires agency care and you wish to monitor for neglect and abuse. Plenty of examples of cameras hidden in care homes to expose abuse. Extend this to full monitoring of an aged relative who lives alone for trips, falls and again (contract, probably) support staff.
For those banging on about scanning logs for unauthorised changes being easy. I assume (not stated clearly) that initial installation would include the addition of email addresses to the system for authorised users. Part of the service might well be for the installer to add the addresses for the less technically able (or lazy) customer. One extra address seems easy, and as this is the initial install this forms the baseline to check against for unauthorised changes. I assume there are also legitimate addresses installed for supplier support or it shouldn't have taken 7 years to spot.
So 20/20 hindsight from most, but no real suggestion about how to spot an email address which isn't authorised support and isn't a personal email belonging to a customer.
Interested, though, that the feature being used to abuse the system can be turned off without apparently affecting the end user's ability to configure.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
