ADT Sued, Claimed 'Easily Hacked'

By: Brian Rhodes, Published on Nov 17, 2014

A lawsuit has been filed against ADT.

The class action complaint claims ADT's wireless systems are 'easily hacked', that ADT knows this and yet engages in 'deceptive and misleading marketing statements.'

In this note, we examine the details and the technical claims.

The Lawsuit

The class action complaint filing claims "ADT’s deceptive and unlawful business acts and practices in connection with the sale of wireless home security equipment" and alleges "ADT’s failure to encrypt or otherwise secure its wireless signals" violates commercial trade practice acts in several states.

The lawsuit seeks "requiring ADT to change its marketing materials and to secure its customers’ wireless systems" plus various damages.

At this date, no claims of specific damages or loss due to the exploit are listed with the suit.

Claims

The lawsuit alleges that ADT's wireless security systems are susceptible to easy exploits that criminals can execute.

Vulnerable: The core weakness the suit claims is that ADT uses unencrypted wireless communication between sensors and the main panel, so that criminals can sniff out and 'jam' actual alarms from being triggered with inexpensive software defined radio gear easily purchased for <$15.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Alternatively, the suit claims hackers can trigger a flood of false alarms, potentially resulting in users refusing to arm it out of frustration. The other scenario paints a situation where local police fail to eagerly respond to a 'routine' call from a notoriously errant system, leaving the facility vulnerable to real heists 'or worse'.

The main external reference the complaint makes is a July 2014 Forbes article where a cybersecurity reseacher claims to have hacked ADT wireless systems:

"He was able to play around with an ADT system thanks to the graciousness of his girlfriend’s father, who had one at home. The different vendors’ products all had the same problem: legacy wireless communications from the 90s that failed to encrypt or authenticate signals. He could be pick up the signals being sent from sensors on windows and doors to the main control system using a cheap SDR, meaning he could see transmissions from sensors — which are sent even when the system is unarmed — and track when people were opening and closing windows and doors. With a more sophisticated SDR, he could interfere with transmissions, setting the alarm off falsely by telling it doors were opening when they weren’t or jamming the system so that it wouldn’t go off, even if doors did open. He could do this from 65 to 250 yards away– basically a house over."

Issues With the Claims

On the surface, the claim could bear out as a risk at least for some ADT systems.  However, one aspect of an 'ADT System' not addressed in the suit is there is no single or even typical alarm system. While unencrypted wireless could prove a vulnerability for some residential grade and older intrusion systems, ADT installs over 20 different systems. Several of those prominently feature 'spread spectrum' and 128 AES encrypted wireless technology that at least makes sniffing out and tampering with systems difficult. 

Interestingly, ADT's flagship Pulse offering is Z-Wave based, and makes no explicit claims about encrypting wireless intrusion sensors, but does claims that the wireless video surveillance element uses WPA2 encryption between the camera and hub, and then HTTPS between local hub and cloud servers.

Not Just ADT

While ADT is the target of the suit, it bears emphasizing the potential risk is not only an ADT problem. Indeed, other wireless alarm systems sold by incumbents like Vivint and Monitronics are likely equally vulnerable to the same basic exploit.

Improving Security

Hacking unsecured wireless is neither new nor exotic, and multiple defenses are available to mitigate risk.  Some basic steps include:

  • Go Wired: Wireless cannot be hacked if it is not used. More costly (labor intensive), wired intrusion systems are still available and the mainstay of 'high-security' alarm systems. Simply choosing wired systems eliminates the potential risk described in the lawsuit.
  • Use Spread Spectrum: When using wireless 'spread spectrum' or 'frequency hopping' connectivity between sensors and panels makes zeroing in or jamming  a particular link extremely difficult. The nature of spread spectrum means the connection frequency intermittently shifts between endpoints, and the phrase 'trying to hit a moving target' describes the difficulty. 

Who is the Plaintiff?

The plaintiff is Dale A. Baker and the law firm is Zimmerman Law Offices, who says their main part of their practice, with 18 years of experience, is class action lawsuits. According to the attorney, Baker has an ADT Pulse system installed at his home.

"His system was erroneously activated 2 times and police had to come to his house. He subsequently learned that their were wireless systems that were encrypted that would prevent would be burglars from interfering with the wireless systems. He felt he had an obligation to inform other people that they are not as safe in their homes as ADT may lead them to believe and also is seeking to have ADT modify this product to encrypt the wireless signals so they can not be intercepted."

Those looking to join the class action lawsuit may contact Zimmerman Law Offices.

1 report cite this report:

How to Hack an ADT Alarm System on Jan 26, 2015
This report explains the key steps in hacking an alarm system, like ADT, as was presented in a Defcon 22 presentation. The risk of such a hack has...
Comments (9) : PRO Members only. Login. or Join.

Related Reports

Directory of 68 Video Surveillance Startups on Sep 18, 2019
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly known. 2019...
Register Now - October 2019 IP Networking Course on Aug 28, 2019
Register now for the Fall 2019 IP Networking Course. This is the only networking course designed specifically for video surveillance...
JCI Sues Wyze on Aug 21, 2019
The mega manufacturer / integrator JCI has sued the fast-growing $20 camera Seattle startup Wyze. Inside this note: Share the court...
ProdataKey (PDK) Access Company Profile on Aug 09, 2019
Utah based ProdataKey touts low cost cloud access, wireless controllers, and no dealer required national distribution availability. But how does...
Dahua Analytics+ Tested on Aug 07, 2019
Dahua's analytics have performed poorly in past shootouts. But now, they claim their new Analytics+ "algorithms significantly improve accuracy and...
Hikvision 4K Camera Shootout on Aug 02, 2019
With their latest Smart Series 5 cameras, Hikvision is claiming cameras "fully loaded" with "state-of-the-art technology for high performance and...
Cisco Settles False Claims Act Suit For Video Surveillance Vulnerabilities on Aug 01, 2019
Cisco entered the video surveillance market in 2007 and suffered for many years through a variety of its own errors and arrogance. The conclusion...
Mobile Access Control Shootout - Farpointe, HID, Openpath, Nortek, Proxy on Jul 29, 2019
One of the biggest rising trends in access control is using phones as credentials but which offering is best? IPVM has tested five of the...
Siklu $400 Compact 60GHz Radio on Jul 24, 2019
Siklu first entered the video surveillance market with a $6,000 per link solution, is now aiming down market with their newest 60GHz wireless...
Wyze AI Analytics Tested - Beats Axis and Hikvision on Jul 17, 2019
$20 camera disruptor Wyze has released free person detection deep learning analytics to all of their users, claiming users will "Only get notified...

Most Recent Industry Reports

Open Access Controller Guide (Axis, HID, Isonas, Mercury) on Sep 19, 2019
In the access control market, there are many software platforms, but only a few companies that make non-proprietary door controllers. Recently,...
Axis Perimeter Defender Improves, Yet Worse Than Dahua and Wyze on Sep 19, 2019
While Axis Perimeter Defender analytics improved from our 2018 testing, the market has improved much faster, with much less expensive offerings...
Directory of 68 Video Surveillance Startups on Sep 18, 2019
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly known. 2019...
Uniview Prime Series 4K Camera Tested on Sep 18, 2019
Is the new Uniview 'Prime' better than the more expensive existing Uniview 'Pro'? In August, IPVM tested Uniview 4K 'Pro' but members advocated...
US Army Base To Buy Banned Honeywell Surveillance on Sep 17, 2019
The U.S. Army's Fort Gordon, home to their Cyber Center of Excellence, has issued a solicitation to purchase Honeywell products that are US...
Vivotek "Neural Network-Powered Detection Engine" Analytics Tested on Sep 17, 2019
Vivotek has released "a neural network-powered detection engine", named Smart Motion Detection, claiming that "swaying vegetation, vehicles passing...
Schmode is Back, Aims To Turn Boulder AI Into Giant on Sep 16, 2019
One of the most influential and controversial executives in the past decade is back. Bryan Schmode ascended and drove the hypergrowth of Avigilon...
Manufacturers Unhappy With Weak ASIS GSX 2019 And 2020 Shift on Sep 16, 2019
Manufacturers were generally unhappy with ASIS GSX, both for weak 2019 booth traffic and a scheduling shift for the 2020 show, according to a new...
How Cobalt Robotics May Disrupt Security on Sep 13, 2019
While security robots have largely become a joke over the last few years, one organization, Cobalt Robotics, has raised $50+ million from top US...
Panasonic 4K Camera Tested (WV-S2570L) on Sep 13, 2019
Panasonic has released their latest generation 4K dome, the WV-S2570L, claiming "Extreme image quality allows evidence to be captured even under...