[the ADT technician] took note of which homes had attractive women, then repeatedly logged into these customers’ accounts in order to view their footage for sexual gratification, he admits
Note: I replaced the gif with a still shot. The problem with your comment is that I, and likely others, are reading it as you endorsing the scene. While this was ostensibly a comedy, 37 years ago, what is shown there is certainly a crime.
Its [Revene of the Nerds] basic plot is monstrous, with the nerds, the nominal good guys, committing an escalating series of sexual crimes against their female classmates in order to get back at the men of Alpha Beta. After the Betas, along with their sister sorority, Pi Delta Pi, release a bunch of pigs into the Lambda house, the Lambdas go on a “panty raid,” breaking into the Pis’ sorority house, stealing their underwear, rushing into bathrooms to gawk at them naked in the shower, and planting hidden video cameras in the ceiling, which allow them to surveil the women after they have been chased off. The guys assemble back at the house, spying on the women changing, with Booger (Curtis Armstrong) demanding that the camera operator “pan down.” This may have been the filmmakers’ lame attempt to squeeze some “Porky’s”-style nudity into the movie, but the sight of the Lambdas shrieking and catcalling turns them from harmless geeks into outright predators. The whole thing, of course, is played for laughs.
I think as an end user you may not be aware of how much access security companies have to their accounts. With LogMeIn, Teamviewer, and all the other RMM services out there whoever installed the system likely can access it remotely. I'd say 99.9999% of the time this is used for service/troubleshooting. Especially with all the cloud VMS's out there, the master account can see all the cameras.
I'm fully aware. I was a technician/integrator long before I was the end user.
Over the years, I've seen several technicians terminated for carrying terabytes of customer data, login credentials and more on their personal storage devices.
I think as an end user you may not be aware of how much access security companies have to their accounts.
How poorly do you view your customers that this is the perspective you take on all end users? Do you view all of your customers as moronic chumps that just pay you because we are too uneducated to do or know anything? I feel sorry for your customers and hope they can find a better integrator in the future that is willing to be a partner with them.
I believe you have misconstrued my comment and did not mean to offend you. Usually when you have a service contract with a customer, you retain access to the system (much like if you outsource IT). There is no disrespect to this, simply that a lot of the time whoever installs the system can access it. Our customers are aware of this, especially when they call and ask us to log into their system to fix an issue (which correlates to the rest of my comment that the access is used for a better customer experience). I haven't had a customer upset that we can fix the issue immediately without sending a tech onsite. We do have customers who specifically do no allow remote access and we comply.
simply that a lot of the time whoever installs the system can access it. Our customers are aware of this, especially when they call and ask us to log into their system to fix an issue
I do think 2 factors make this typically different than the ADT tech case here:
(1) It's most often for businesses and businesses are not generally worried about private acts being seen where the home is different.
(2) Home cameras typically come with audio on and business one typically with audio off. Hearing what people is saying adds great risk. For example, a business might be ok with someone seeing they are having a meeting but hearing what was said would carry greater risk.
Well...many end users put their trust in their vendors an should be able to reasonably expect not to be abused...then there are end users who don't have a clue and don't bother to learn even a little bit about the basics of protecting themselves. Then there are those that fall in the "other" category.
This is a massive concern with IoT / always on cloud connected devices. With IoT I feel we are all sacrificing privacy and cyber-security for convenience. This type of event will become more common and likely remain unknown. Perhaps the manufacturers should invest their time on analytics to flag this type of activity for review. This is just begging to be regulated if these types of incidents occur further. It may be best to make the investment now versus maximizing profits until the hammer drops.
Imagine realizing you exposed sensitive data to your IoT/cloud service and wanting to delete it but finding out that the company you purchased the service from moved their recording to the Ukraine or perhaps China without notifying you. Good luck getting that shit deleted.
Imagine realizing you exposed sensitive data to your IoT/cloud service and wanting to delete it but finding out that the company you purchased the service from moved their recording to the Ukraine or perhaps China without notifying you. Good luck getting that shit deleted.
As a whole we are really setting ourselves up for a mammoth failure here. To be clear I am not opposed to the premise of cloud or IoT but the risks are not being addressed adequately.
I am not one to encourage or support lawsuits in general but this is exactly what punitive damages were made for. If ADT doesn't settle out of court for HUGE sums of money to these people that were violated they will surely find themselves on the national news. A big trial is the absolute last thing they want.
This has a 60 Minutes expose' written all over it.
I won’t flag it as disagree, but I would support them going after the employee, unless ADT management (or at least his management) knew of it and did nothing.
A tech goes back in a robs a store using the code he was given by an employee earlier in the day. Should ADT pay out the claim, or limit the damages to the contracted limits of liability.
Think about being responsible for every employee’s actions.
A tech goes back in a robs a store using the code he was given by an employee earlier in the day. Should ADT pay out the claim, or limit the damages to the contracted limits of liability.
This does raise a good point. I don't know the details of the hypothetical you give (i.e., the code that was given).
According to the government, ADT allowed its employees to put their email into the customer's account, then had no way to check if it was removed and evidently had no alerts on their end or to the customer for abnomal logins. Should they have? Many other services do. How much of this was or should have been within ADT's control?
ADT, in their statement, implies that it has some responsibility to 'help make this right':
we have individually contacted each customer to discuss their needs and concerns to help make this right. We have already worked with many of them to resolve their concerns successfully.
This seems to me to be a simple process to implement on the backend of ADT. Their technician's email login for the customer's account should time out, after say 24 hours. I don't imagine ADT are doing multiple day service calls.
Am I missing something here?
While all of our clients grant us ongoing access (non-residential) we are sure to check that after the install is complete, the site techs are removed from the client's account. Only the project manager (again when requested by the client) retains access.
Giving light of this I think we will now audit each account every 6 months and double-check we didn't miss anything.
ADT allowed its employees to put their email into the customer's account, then had no way to check if it was removed
I read that as ADT built a massive platform and didn't put into place the oversight required to protect their customers.
For sure the employee is at fault and will be prosecuted, but the fact that this happened thousands of times instead of a handful before an audit process caught it is absolutely the fault of ADT.
Every modern NVR/DVR I know of has a log for access. How many and users check it...probably none.
Test your system weekly, as it says on most residential keypads. Do they...no, it’s there so they only have to refund a month if someone claims it hasn’t been connected for a year.
I’m not defending the employee, but you can’t prevent all.
I feel especially for cloud offerings there is more responsibility on the part of the manufacturer than for traditional equipment sales.
The whole value proposition of a cloud offering is a company who will manage the software/hardware for you because they are going to do a much better job than you due to their scale. Development, security updates and oversight are part of the agreement the user is making, at least it's part of what I expect when I personally decide to sign up for a cloud offering of any kind.
If the cloud company I am using has no controls and poor hiring practices, time to find a new provider. It's the same as security in my mind, you need layers of protection. You can't ever hire 100% good employees, so you have to design systems around that.
1. While hiring practices can help, it's impossible in this case to state whether hiring or HR has any responsibility in this situation.
2. The cloud provider can only offer limited oversight to your account, particularly when it comes to access. Other than obvious circumstances, it has to depend on you to tell them who is allowed access to your account or not. What is probably as important is providing the end user with easy to use methods of ensuring unauthorized access has not been granted. As an example, I think it would be prudent for the cloud provider to email a list of authorized users to the customer on a regular period (say 6 months). This would be in addition to an internal audit process that should happen monthly.
Agree with both points, my statement on "controls and hiring practices" would be better phrased "if the company has no controls and/or poor hiring practices."
Their hiring practices could be top notch and this is the first time someone chooses to abuse a system. To your second point, systems and processes can help limit the exposure and ensure it's a closed loop system.
Yep, I misinterpreted your comments on hiring practices. Agreed, that with properly built systems and processes, exposure to this type of situation can be limited.
Other than obvious circumstances, it has to depend on you to tell them who is allowed access to your account or not.
But in this circumstance, it was the company's own employee. I could understand if the guy who did this was a random neighbor who snuck in to the person's house and added their email but that is not the circumstance here.
Pulse is a cloud based system, so you don't have to enter a person's house to add yourself to the account. While it's certainly easier to setup if you have access to the customer's phone or computer, the numerous hacks of frequent flier and similar accounts show that it can be done without any access at all.
If we want to look at this particular instance, yes it was a company employee so an audit for company emails should have caught it. However the employee can add that by simply asking the customer to add them to the account and give them a non-ADT account which would be almost impossible to flag in an audit.
As Hash mentioned, like any part of security you really need a layered approach to be effective. In this case regular audits of emails assigned to accounts as well as sending a list of emails associated with the account to the customer would both serve to prevent this in the future.
Sure but in this case, ADT authorized their employee to have access to these 200 customers accounts so ADT has responsibility to ensure their employees do not abuse it, yes/no?
Imagine a different case were an ADT employee is shopping at the supermarket and somehow distracts a person to get access to their phone and then adds in their email address to the ADT account. In this case, I would not see any responsibility for ADT as a company since the person did it entirely on their own and unrelated to work. Does that distinction make sense?
I'm not discounting ADT's responsibility in this, they are absolutely responsible for maintaining the proper systems and processes to prevent unauthorized access by their employees. What I am saying is that in some cases it can be next to impossible for the company itself to prevent that without some level of customer action.
Per the press release on the DOJs page, he added his personal email to their Pulse account, not a work email. "In some instances, he claimed he needed to add himself temporarily in order to test the system; in other instances he added himself without their knowledge."
If he asks the customer to add him to their account to "test" it, and gives them a personal email like "newt444@gmail.com" how exactly is ADT going to be able to determine if that email address belongs to an ADT employee or someone the customer legitimately granted access to?
It seems to prevent this specific situation from happening there are three reasonable steps any cloud provider should take:
1. Provide an alternate interface for support staff with appropriate restrictions (i.e. can only login when a support ticket is logged, all interactions are logged and there is no ability to add new users to the account.)
2. Ensure that the customer is aware that they should not add ADT employees to their account for any reason. This message probably needs to be repeated on a regular cadence.
3. Send a periodic email to the customer with the emails associated with an account so the customer can verify them.
These sorts of actions from a rogue individual gives a black eye to the whole industry and the victims deserve due justice. I agree that this is not anything to be taken lightly by anyone.
One of the biggest problems as I see it is that some integrators keep back door logins as a way to "help" the customer if they ever lose their password. Some integrators will not even share the "full admin" login with the customer so that they can maintain the relationship through a ransom of sorts if the customer decides to go with another integrator. Yet others will not even train the customer as to how to fully operate their system so that the integrator can have a "hold" on them. There are many software applications out there that can safeguard sensitive credentials by creating secure credentialed access to customer information. Integrators need to realize the system that the customer paid for does not belong to the integrator and does not give the integrator the right to hide or hold login credentials. This may lead to a change in how things are initially programmed. Meaning, that integrators may need to teach and inform the customer ahead of time to create their personal account and then log in for the integrator to access or to create a login for the integrator and show the customer how to delete or limit the account if they desire. Transparency and education are what deepens a relationship between the customer and the integrator it does not erode it.
I'm still a little uncomfortable with how my company handles things. We don't do residential systems, so not as easy for a nightmare scenario like ADT, but we still have a person (me) who has full remote access to a bunch of NVRs. I don't think my bosses even realize how wrong it could go if I went crazy.
The main thing that we do as a company is hire people we trust. There's a core of 8 or 9 employees who all grew up together and go to the same church. The owners knew me a several years before they hired me.
If a company doesn't have a secure mindset while being built, it's hard to change it later on. Any change to the structure means that technicians have to work longer on each job, which leads to lower profits and frustrated employees.
It's just so much easier to have the all-seeing office guy remote in and fix everything.
I should mention there's probably more to the story than that. In my boss's experience, customers really don't know what to do with admin access anyway. We deal with a lot of computer illiterate people. There's a risk that they'll break things by accident. As for transferring to other integrators, we promise that we'll always help out if the customers do change.
So in the end I guess we're relying on trust. We do business because the customers trust us. My boss gives me full privileges because he trusts me. It would be nice if we upgraded to "trust but verify", but that's where we're at for now.
If they go after the guy, what are they going to get from him? He's likely unemployed and going to be spending some time behind bars. You could go after the employee but doubtful you will get anything. Vicarious liability
A tech goes back in a robs a store using the code he was given by an employee earlier in the day. Should ADT pay out the claim, or limit the damages to the contracted limits of liability.
I think the difference between your scenario and the one in the article is that ADT made no effort to reasonably restrict further access or even audit system access after commissioning. They admit there is a policy to ensure this, but then failed enforce it. I think that is where they screwed up.
Actually what's missing from the IPVM reporting is that the employee got the customer to add a his personal email to their account or he added the email without the customer's knowledge. In that case this policy wouldn't apply because he never was supposed to use a non-ADT email in the first place. It's also almost impossible to enforce because how can you tell that newt444@gmail.com is a legitimate user for that account or not, with the exception of asking the customer.
Hmm... I wonder what would have happened if the guy had borrowed a page from the phishing playbook instead? newt444@gmail.com is pretty obvious, but what about service@accounts-adt.com? People aren't trained to notice lookalike domains everywhere. There's a chance that a few other ADT employees. "Yeah, I've seen those in a lot of systems. I guess it's one of the service accounts, so don't delete it."
There are two real problems with relying only on that approach, one realistic and one not:
1. What if the employee is only really interested in 1-2 accounts and has a much deeper interest (i.e. stalker). You're not going to detect that because it will fall below the threshold.
2. More unlikely but plausible, if the employee knew about the audit or was concerned about that, they can maintain multiple different email addresses to get away with it.
Either way audits won't catch these individuals, the only way to do so is for the customer to vet who is accessing their system on a regular basis.
There's no single approach to avoid something like this. Not all customers are going to vet who has access to their system and putting the onus on the customer doesn't always work out.
"Ma'am I understand that someone within our company has been accessing your cameras. Did you check to see who has access? That is your responsibility."
An audit might catch some suspicious activity and it might not others. Querying a DB for multiple accounts containing the same email address should be rather quick. There is always the case that someone in IT that has access without needing user credentials with system level rights.
We can poke holes through every possible scenario. Important to start somewhere.
I agree on starting somewhere and audits are an important part of that but I don't think audits alone will protect the integrator from a legal standpoint.
Whether they actually review it or not, making it easy for the customer to see who can access their account with a quarterly email list costs nothing but does help legally. As does including reminders in company correspondence to ensure customers don't allow employees access to their accounts unwittingly.
Not even a comparable scenario. They most certainly should have known something like this was going on or at least possible and slammed the door on it years ago. At best this was gross negligence on their part.
Per Wikipedia, the following is the plot of the South Park episode / scene:
A TSA employee who masturbates while monitoring bathroom security cameras sees that Cartman, armed with a gun, has taken a TSA checkpoint inspector and a baby hostage in his bathroom, before disabling his camera. Randy Marsh leads the public in speaking out against the TSA and the fact that it allowed a terrorist with a gun and a baby past a security checkpoint. Randy also announces that they are all determined to contact Harington with a public sueance.
My head hurts from reading that.
The fact that popular culture covers a similar scenario is notable though I am still not sure of the point of this scene.
John, I'm surprised and disappointed that you left the South Park video up. I typically don't say anything about posts being taken down but, this is clearly inappropriate and likely highly offensive to many in the workplace.
It is on YouTube and it is described on Wikipedia so this begs the question if they should censor it too.
I would have easily deleted it if it was off-topic (for example, someone asked about the best LPR camera and someone responded with this) but it is, considering how disgusting ADT tech behaved, related.
I see a couple of complications with simply relying on an audit in this case.
1. ADT employees may also have their own Pulse accounts tied to their company email address, so you would need to tailor the audit to make sure you don't catch a valid use of their email address.
2. The original report mentioned he used a personal email address. If the techs can add a personal email address on their own, then it will be nearly impossible for an audit process to catch and makes it more important for the customer to be auditing. A simple email with a list of all email accounts associated with the account would help catch this from the customer side.
This is where a special technician level interface with appropriate logging and cross checking comes in (no access without a valid ticket and if tracking tech location they have to be onsite.)
This is concerning as ADT seems to excuse this as it was "required by policy" to remove employee email accounts after setup. That is like saying building inspectors aren't needed because building code exists.
You need a means to either enforce or inspect what you expect, ideally both.
That isn't a new concept, and it's appalling they allowed such a glaring flaw in their process for at least half a decade if not more.
What's unclear is what actual steps were taken to enforce the policy and did the employee attempt to circumvent them. A real easy way to avoid audit would be to ask the customer to add a personal email to the account for "testing", promise to take it out and then don't. This would avoid an audit and setting off of any red flags because there's not easy way to tie a technician visit to a change made in a cloud system.
ADT has since moved off the Pulse platform onto Command, so it's unclear if the new platform would have the same issues.
I used to know the owner of a local company who would proudly show off his attractive client's cameras, and brag about what he'd seen. He'd also brag about "breaking in" to other camera systems using default logins. We'd done some business with him for years which I immediately ended and informed several mutual clients of what was going on, one of which basically knew about it and had disconnected his cameras because of it. One of my biggest regrets was not reporting him at the time, but then again he showed it to everyone, so apparently, I wasn't alone. Absolute creep. And I'm going to post this disclosed, I can hope he's on here and sees this, maybe he'll start thinking a bit more about his actions.
This is disturbing but, it reminds me of a friend that works on DoD black projects...If there is a device in the area, assume it's recording and/or viewing all the time. This goes for cameras, laptops/computers, plasma TV's...heck, even refrigerators are starting to store AI data from their environments.
This doesn't excuse anything about this situation but, the only real way for people to protect their privacy is to take an active role and not depend on a provider or manufacturer to protect you.
think it is terrible what this technician did. an electronic peeping tom. There will always be bad people. People who know the blind spots or weaknesses of your video system and can use to their advantage - residential or commercial. We all need to be careful and cautious.
Also think ADT has a huge responsibility to assure things are monitored and regulated - not just "our policy". Especially since a customer is the one who found out the situation
People / Customers thought their cameras were private. Has to be a terrible feeling to find out "someone" has been secretly watching you for years.
Anyone who thinks their cloud connected camera is private is kidding themselves. Just like the incidents involving people able to access audio on Alexa and Google Home devices, there are ways authorized or otherwise that employees use can get access. There's a reason, outside of a test, you'll never see me put a camera in a bedroom, bathroom or other private space of my home.
or Facebook - storing everything, categorizing and watching - using facial recognition to find you in the background of someone else's post. or keeping data about you - even if you are NOT on FB (via others you know)
I'll never forget the time I was posting a vacation photo and Facebook picked a random face out of the crowd in the background and tagged it with a user. That was freaky.
If I agree to the open spying then yes it is ok. If I do not have a way to opt out, then no it's no different than the tech spying on my daughter.
Update: ADT Technician Sentenced for Hacking Home Security Footage
A home security technician was sentenced today to 52 months in federal prison for repeatedly hacking into customers’ video feeds
Agree
Disagree
Informative
Unhelpful
Funny
Create New Topic
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Comments (67)
Undisclosed #1
This is one technician. Imagine all the cases we don't know about...
Create New Topic
Undisclosed #2
If your mind didn’t immediately take you to this scene, you haven’t lived:
Create New Topic
Undisclosed #1
This thread aged well...
ADT Technician Added His Personal Email Address To Customers’ Accounts During Service Visits. That Gave Him Varying Levels Of Access To Their Systems, Including The Video Streams
Create New Topic
Undisclosed Integrator #3
This is a massive concern with IoT / always on cloud connected devices. With IoT I feel we are all sacrificing privacy and cyber-security for convenience. This type of event will become more common and likely remain unknown. Perhaps the manufacturers should invest their time on analytics to flag this type of activity for review. This is just begging to be regulated if these types of incidents occur further. It may be best to make the investment now versus maximizing profits until the hammer drops.
Create New Topic
Ross Vander Klok
I am not one to encourage or support lawsuits in general but this is exactly what punitive damages were made for. If ADT doesn't settle out of court for HUGE sums of money to these people that were violated they will surely find themselves on the national news. A big trial is the absolute last thing they want.
This has a 60 Minutes expose' written all over it.
Create New Topic
Dirk Hedlund
Create New Topic
Undisclosed Integrator #7
I see a couple of complications with simply relying on an audit in this case.
1. ADT employees may also have their own Pulse accounts tied to their company email address, so you would need to tailor the audit to make sure you don't catch a valid use of their email address.
2. The original report mentioned he used a personal email address. If the techs can add a personal email address on their own, then it will be nearly impossible for an audit process to catch and makes it more important for the customer to be auditing. A simple email with a list of all email accounts associated with the account would help catch this from the customer side.
This is where a special technician level interface with appropriate logging and cross checking comes in (no access without a valid ticket and if tracking tech location they have to be onsite.)
Create New Topic
Undisclosed End User #8
This is concerning as ADT seems to excuse this as it was "required by policy" to remove employee email accounts after setup. That is like saying building inspectors aren't needed because building code exists.
You need a means to either enforce or inspect what you expect, ideally both.
That isn't a new concept, and it's appalling they allowed such a glaring flaw in their process for at least half a decade if not more.
Create New Topic
Undisclosed Integrator #7
What's unclear is what actual steps were taken to enforce the policy and did the employee attempt to circumvent them. A real easy way to avoid audit would be to ask the customer to add a personal email to the account for "testing", promise to take it out and then don't. This would avoid an audit and setting off of any red flags because there's not easy way to tie a technician visit to a change made in a cloud system.
ADT has since moved off the Pulse platform onto Command, so it's unclear if the new platform would have the same issues.
Create New Topic
Joseph Parker
I used to know the owner of a local company who would proudly show off his attractive client's cameras, and brag about what he'd seen. He'd also brag about "breaking in" to other camera systems using default logins. We'd done some business with him for years which I immediately ended and informed several mutual clients of what was going on, one of which basically knew about it and had disconnected his cameras because of it. One of my biggest regrets was not reporting him at the time, but then again he showed it to everyone, so apparently, I wasn't alone. Absolute creep. And I'm going to post this disclosed, I can hope he's on here and sees this, maybe he'll start thinking a bit more about his actions.
Create New Topic
Corbin Hambrick
I would think something like what credit cards do now, would be in order here.
Send me a notification when someone connects/logs in to my account.
The default would be always for everyone and the customer has the responsibility to change that putting more of on onus on them.
...but I do feel ADT has some culpability here and needs to "fix" their internal issues.
Create New Topic
Undisclosed Manufacturer #10
That’s just despicable!
Create New Topic
Undisclosed Integrator #12
This is disturbing but, it reminds me of a friend that works on DoD black projects...If there is a device in the area, assume it's recording and/or viewing all the time. This goes for cameras, laptops/computers, plasma TV's...heck, even refrigerators are starting to store AI data from their environments.
This doesn't excuse anything about this situation but, the only real way for people to protect their privacy is to take an active role and not depend on a provider or manufacturer to protect you.
Create New Topic
John Honovich
Kirschenbaum has now published a new newsletter, saying:
That's bizarre advice, even if it's somehow meant to be funny.
Create New Topic
Undisclosed Integrator #13
think it is terrible what this technician did. an electronic peeping tom. There will always be bad people. People who know the blind spots or weaknesses of your video system and can use to their advantage - residential or commercial. We all need to be careful and cautious.
Also think ADT has a huge responsibility to assure things are monitored and regulated - not just "our policy". Especially since a customer is the one who found out the situation
People / Customers thought their cameras were private. Has to be a terrible feeling to find out "someone" has been secretly watching you for years.
Create New Topic
Undisclosed Integrator #13
this makes me think about Amazon and Google - "Listening all the time"
Amazon Staff Are Listening To Alexa Conversations -- Here's What To Do
or Facebook - storing everything, categorizing and watching - using facial recognition to find you in the background of someone else's post. or keeping data about you - even if you are NOT on FB (via others you know)
9 Terrifying Ways Facebook Uses Your Data - Privacy Australia
but I guess "openly" spying on you - is ok.?
Create New Topic
John Honovich
Update: ADT Technician Sentenced for Hacking Home Security Footage
A home security technician was sentenced today to 52 months in federal prison for repeatedly hacking into customers’ video feeds
Create New Topic