ADT Sued, Claimed 'Easily Hacked'

By Brian Rhodes, Published on Nov 17, 2014

A lawsuit has been filed against ADT.

The class action complaint claims ADT's wireless systems are 'easily hacked', that ADT knows this and yet engages in 'deceptive and misleading marketing statements.'

In this note, we examine the details and the technical claims.

The Lawsuit

The class action complaint filing claims "ADT’s deceptive and unlawful business acts and practices in connection with the sale of wireless home security equipment" and alleges "ADT’s failure to encrypt or otherwise secure its wireless signals" violates commercial trade practice acts in several states.

The lawsuit seeks "requiring ADT to change its marketing materials and to secure its customers’ wireless systems" plus various damages.

At this date, no claims of specific damages or loss due to the exploit are listed with the suit.

Claims

The lawsuit alleges that ADT's wireless security systems are susceptible to easy exploits that criminals can execute.

Vulnerable: The core weakness the suit claims is that ADT uses unencrypted wireless communication between sensors and the main panel, so that criminals can sniff out and 'jam' actual alarms from being triggered with inexpensive software defined radio gear easily purchased for <$15.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Alternatively, the suit claims hackers can trigger a flood of false alarms, potentially resulting in users refusing to arm it out of frustration. The other scenario paints a situation where local police fail to eagerly respond to a 'routine' call from a notoriously errant system, leaving the facility vulnerable to real heists 'or worse'.

The main external reference the complaint makes is a July 2014 Forbes article where a cybersecurity reseacher claims to have hacked ADT wireless systems:

"He was able to play around with an ADT system thanks to the graciousness of his girlfriend’s father, who had one at home. The different vendors’ products all had the same problem: legacy wireless communications from the 90s that failed to encrypt or authenticate signals. He could be pick up the signals being sent from sensors on windows and doors to the main control system using a cheap SDR, meaning he could see transmissions from sensors — which are sent even when the system is unarmed — and track when people were opening and closing windows and doors. With a more sophisticated SDR, he could interfere with transmissions, setting the alarm off falsely by telling it doors were opening when they weren’t or jamming the system so that it wouldn’t go off, even if doors did open. He could do this from 65 to 250 yards away– basically a house over."

Issues With the Claims

On the surface, the claim could bear out as a risk at least for some ADT systems.  However, one aspect of an 'ADT System' not addressed in the suit is there is no single or even typical alarm system. While unencrypted wireless could prove a vulnerability for some residential grade and older intrusion systems, ADT installs over 20 different systems. Several of those prominently feature 'spread spectrum' and 128 AES encrypted wireless technology that at least makes sniffing out and tampering with systems difficult. 

Interestingly, ADT's flagship Pulse offering is Z-Wave based, and makes no explicit claims about encrypting wireless intrusion sensors, but does claims that the wireless video surveillance element uses WPA2 encryption between the camera and hub, and then HTTPS between local hub and cloud servers.

Not Just ADT

While ADT is the target of the suit, it bears emphasizing the potential risk is not only an ADT problem. Indeed, other wireless alarm systems sold by incumbents like Vivint and Monitronics are likely equally vulnerable to the same basic exploit.

Improving Security

Hacking unsecured wireless is neither new nor exotic, and multiple defenses are available to mitigate risk.  Some basic steps include:

  • Go Wired: Wireless cannot be hacked if it is not used. More costly (labor intensive), wired intrusion systems are still available and the mainstay of 'high-security' alarm systems. Simply choosing wired systems eliminates the potential risk described in the lawsuit.
  • Use Spread Spectrum: When using wireless 'spread spectrum' or 'frequency hopping' connectivity between sensors and panels makes zeroing in or jamming  a particular link extremely difficult. The nature of spread spectrum means the connection frequency intermittently shifts between endpoints, and the phrase 'trying to hit a moving target' describes the difficulty. 

Who is the Plaintiff?

The plaintiff is Dale A. Baker and the law firm is Zimmerman Law Offices, who says their main part of their practice, with 18 years of experience, is class action lawsuits. According to the attorney, Baker has an ADT Pulse system installed at his home.

"His system was erroneously activated 2 times and police had to come to his house. He subsequently learned that their were wireless systems that were encrypted that would prevent would be burglars from interfering with the wireless systems. He felt he had an obligation to inform other people that they are not as safe in their homes as ADT may lead them to believe and also is seeking to have ADT modify this product to encrypt the wireless signals so they can not be intercepted."

Those looking to join the class action lawsuit may contact Zimmerman Law Offices.

1 report cite this report:

How to Hack an ADT Alarm System on Jan 26, 2015
This report explains the key steps in hacking an alarm system, like ADT, as...
Comments (9) : Members only. Login. or Join.

Related Reports

Faked Convergint Fever Camera 'Expert' Marketing on Jun 16, 2020
Convergint touts they are "THERMAL CAMERA SOLUTION EXPERTS" while faking...
Convergint Refuses To Fix Faked Fever Marketing, FTC Complaint Filed on Jun 19, 2020
Since Convergint has refused to fix their faked fever camera marketing, IPVM...
Verkada Falsely Claims "First Native Cloud-based Access Control and Video Security Solution" on Jun 18, 2020
Verkada's false claims continue, this time to be the first native cloud-based...
17 Alarm Company Lawsuits Against Competitors Faking Them on Oct 06, 2020
Alarm companies suing rivals for faking them are commonplace, an IPVM...
ADT: 'Fever' Cameras Are Medical Devices on Jun 15, 2020
While many manufacturers are avoiding admitting their 'fever' cameras are...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
JCI Sues Genetec For Patent Infringement on Jul 13, 2020
Surprisingly, security giant JCI has sued their partner, security software...
ISC News Fakes Fever Screening, Falsely Quotes FDA on Jun 18, 2020
ISC News, the Reed publication behind the ISC East and West trade shows, has...
Arcules CEO Retracts False GDPR Claim + Dahua and Milestone Claims Examined on Dec 03, 2019
Arcules CEO has retracted a false claim about his organization being a "fully...
Panasonic i-PRO Hid Huawei, Does Damage Control on Aug 21, 2020
Panasonic i-PRO hid their usage of Huawei from the public, continues to...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
Coronavirus Shuts Down ADT Door Knockers on Mar 26, 2020
Coronavirus has another victim - this time, alarm giant ADT has stopped all...
ZKTeco SpeedFace+ Are Medical Devices, Per FDA Definition, Contrary Claims Are False on Jun 12, 2020
ZKTeco SpeedFace+ series products are medical devices as defined by the US...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
Dangerous Hikvision Fever Screening Marketing In Africa on Sep 15, 2020
A multi-national African Hikvision distributor is marketing dangerously...

Recent Reports

GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&amp;ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic i-PRO presented its X-Series cameras and AI video analytics at the...
Augmented Reality (AR) Cameras From Hikvision and Dahua Examined on Oct 19, 2020
Hikvision, Dahua, and other China companies are marketing augmented reality...
18 TB Video Surveillance Drives (WD and Seagate) on Oct 19, 2020
Both Seagate and Western Digital recently announced 18TB hard drives...
Watrix Gait Recognition Profile on Oct 16, 2020
Watrix is the world's only gait recognition surveillance provider IPVM has...
Intel Presents Edge-to-Cloud Ecosystem for Video Analytics on Oct 16, 2020
Intel presented its processors and software toolkit for computer vision at...