ADT Sued, Claimed 'Easily Hacked'

Published Nov 17, 2014 05:00 AM

A lawsuit has been filed against ADT.

The class action complaint claims ADT's wireless systems are 'easily hacked', that ADT knows this and yet engages in 'deceptive and misleading marketing statements.'

In this note, we examine the details and the technical claims.

The *******

*** ***** ****** ********* ****** ****** "***’* ********* *** **************** **** *** ********* ** ********** with *** **** ** ******** **** security *********" *** ******* "***’* ******* ** ******* *********** ****** *** ******** *******" ******** ********** ***** ******** **** in ******* ******.

*** ******* ***** "********* *** ** ****** *** ********* materials *** ** ****** *** *********’ wireless *******" **** ******* *******.

** **** ****, ** ****** ** specific ******* ** **** *** ** the ******* *** ****** **** *** suit.

******

*** ******* ******* **** ***'* ******** security ******* *** *********** ** **** exploits **** ********* *** *******.

**********: *** **** ******** *** **** claims ** **** *** **** *********** wireless ************* ******* ******* *** *** main *****, ** **** ********* *** sniff *** *** '***' ****** ****** from ***** ********* **** ******************* ******* ********* *************** ***

*************, *** **** ****** ******* *** trigger * ***** ** ***** ******, potentially ********* ** ***** ******** ** arm ** *** ** ***********. *** other ******** ****** * ********* ***** local ****** **** ** ******* ******* to * '*******' **** **** * notoriously ****** ******, ******* *** ******** vulnerable ** **** ****** '** *****'.

*** **** ******** ********* *** ********* makes ** ***** **** ****** ******* ***** * cybersecurity*************** ** **** ****** *********** *******:

"** *** **** ** **** ****** with ** *** ****** ****** ** the ************ ** *** **********’* ******, who *** *** ** ****. *** different *******’ ******** *** *** *** same *******: ****** ******** ************** **** the *** **** ****** ** ******* or ************ *******.** ***** ** **** ** *** signals ***** **** **** ******* ** windows *** ***** ** *** **** control ****** ***** * ***** ***, meaning ** ***** *** ************* **** sensors — ***** *** **** **** when *** ****** ** ******* — and ***** **** ****** **** ******* and ******* ******* *** *****.**** * **** ************* ***, ** could ********* **** *************, ******* *** alarm *** ******* ** ******* ** doors **** ******* **** **** *****’* or ******* *** ****** ** **** it ******’* ** ***, **** ** doors *** ****.** ***** ** **** **** ** to *** ***** ****– ********* * house ****."

Issues **** *** ******

** *** *******, *** ***** ***** bear *** ** * **** ** least *** **** *** *******.  *******, one ****** ** ** '*** ******' not ********* ** *** **** ** there ** ** ****** ** **** typical ***** ******. ***** *********** ******** ***** prove * ************* *** **** *********** grade *** ***** ********* *******,*** ******** **** ** ********* *******. ******* ** ***** *********** *******'****** ********' *** *** *** ***************** ********** **** ** ***** ***** sniffing *** *** ********* **** ******* difficult. 

*************,***'* ******** ************* ***-**** *****, *** ***** ** ******** ****** about ********** ******** ********* *******, *** does ****** **** *** ******** ***** surveillance ******* ******** ***************** *** ****** *** ***, *** then************ ***** *** *** ***** *******.

Not **** ***

***** *** ** *** ****** ** the ****, ** ***** *********** *** potential **** ** *** **** ** ADT *******. ******, ***** ******** ***** systems **** ** ********** **** ****** and *********** *** ****** ******* ********** to *** **** ***** *******.

Improving ********

******* ********* ******** ** ******* *** nor ******, *** ******** ******** *** available ** ******** ****.  **** ***** steps *******:

  • ** *****: ******** ****** ** ****** ** it ** *** ****. **** ****** (labor *********), ***** ********* ******* *** still ********* *** *** ******** ** 'high-security' ***** *******. ****** ******** ***** systems ********** *** ********* **** ********* in *** *******.
  • *** ****** ********:**** ***** ******** '****** ********' ** '********* *******' ************ ******* sensors *** ****** ***** ******* ** or *******  * ********** **** ********* difficult. *** ****** ** ****** ******** means *** ********** ********* ************** ****** between *********, *** *** ****** '****** to *** * ****** ******' ********* the **********. 

Who ** *** *********?

*** ********* ** **** *. ***** and *** *** **** *********** *** *******, *** **** ***** **** **** of ***** ********, **** ** ***** of **********, ** ***** ****** ********. ********* ** *** ********, ***** *** ** ADT ***** ****** ********* ** *** home.

"*** ****** *** *********** ********* * times *** ****** *** ** **** to *** *****. ** ************ ******* that ***** **** ******** ******* **** were ********* **** ***** ******* ***** be ******** **** *********** **** *** wireless *******.** **** ** *** ** ********** to ****** ***** ****** **** **** are *** ** **** ** ***** homes ** *** *** **** **** to ******* *** **** ** ******* to **** *** ****** **** ******* to ******* *** ******** ******* ** they *** *** ** ***********."

***** ******* ** **** *** ***** action ******* *** ******* ********* *** Offices.

Comments (9)
UI
Undisclosed Integrator #1
Nov 17, 2014
You get what you pay for.. You pay peanuts you get Monkeys..
(1)
(4)
UI
Undisclosed Integrator #2
Nov 17, 2014

Another ambulance chasing "explitive" which will drive up everyone's cost of doing business yet again. Exactly right, you get what you pay for and most customers want cheap. That's why there is a no down monthly model to start with. Any system can be hacked, if you have access and the right tools. Some are easier than others. It should be buyer beware, do your homework and you get what you pay for although if the marketing / literature is intentionally false or very misleading someone should be accountable. These only end well for the attorneys anyway. Well, back to my good enough world where I only will pay for a product to work 90% of the time at 80% of it's potential.

(2)
UI
Undisclosed Integrator #1
Nov 17, 2014
Agreed and this looks more like someone trying to make money. It also depends on the technology and when that technology was released. For example encryption in some cases can be easily broken with systems which are available today, but rewind back the development cycle of the hardware and it was probably deemed near impossible to crack. There is an element of kit being oversold and wireless is not perfect just like given time and money any wired system could be also bypassed. Surely any intruder alarm system is a deterrent and no system could be considered fool proof or resistant to determined attack.
(2)
JS
Jack Sink
Nov 18, 2014
IPVMU Certified

Class action suits can and in some cases have driven substantitive change for the good. To be competitive the residential customer has to be offered a system that is false alarm free, dependable and simple at a low price. Wireless offers the reduction in installation labor and no one should expect the early generations of wireless intrusion components to equal current spread spectrum, encryption capable components. In this case however it's about revenue from settlements for the specialty law firms. I don't recall ever being misled by my local hardware store regarding risk and vulnerability but there's a warning label on my new axe, a design that hasn't changed in eons, not to cut my toes off.

I suppose next a written disclaimer that states taping a box over my passive infrared motion detector will affect coverage?

(2)
JA
Juan Abbondanza
Nov 18, 2014

This sue in the media will teach intruders to look those ADT signs at homes to try them. And this could be worse than the weakness of the system.

I think it is fair to inform ADT customers about; to push ADT to give some "solution path" for legacy customers and another more inmediate solution for new customers; and warning future customers about.

But current users need time to get their problem solved before inform everyone else, I think.

Maybe the first thing to do is remove the signs, until the problem is solved.

(1)
UI
Undisclosed Integrator #3
Nov 30, 2014

This lawsuit could have consequences beyond the immediate lawsuit plaintiffs. What is impactful to companies using misleading advertising, is they are exposed to large losses if the technology used was a factor in a loss. The company contract with limits and exclusion to liability, run the risk of having the contract set aside and will lose the protection of these contract provisions.

This could also have a chill effect on financial institutions who have provided extensive financing (especially to ADT) for the purchase of these "impaired contracts".

JH
John Honovich
Nov 30, 2014
IPVM

"the purchase of these "impaired contracts".

For significant damages (beyond the cost of the service), wouldn't the contract holders have to actually be harmed by someone exploiting this vulnerability?

For instance, in drug lawsuits, typically the person has actually been harmed by the drug (e.g., 'I took drug X and now I have debilitating condition Y as a result"). Right now, even the cyber researcher and critics are not claiming anyone has exploited this potential vulnerability.

JH
John Honovich
Nov 30, 2014
IPVM

Btw, a US morning show posted this video last week:


At the end of the video, ADT gave a generic comment about being committed to security and improved technology, etc., etc.

JH
John Honovich
Jun 06, 2017
IPVM

Update: this has been settled for $16 million:

ADT recently announced a $16 million settlement of the lawsuits, translating into a nationwide class settlement, the payment of legal fees for class counsel and monetary awards for subscribers ranging from $15 to $45