Arcules CEO Threatens Over "Security Breach"

By John Honovich, Published Nov 25, 2019, 09:21am EST (Info+)

An Arcules employee called out a recent 'security breach', however, Arcules CEO disputed this as 'inaccurate' and threatened to sue IPVM.

IPVM Image

Inside this note, we examine:

  • What the Arcules employee claimed was a 'security breach'
  • Arcules CEO response and partial explanation of what happened
  • New VSaaS security concerns, not possible with VMSes
  • False claim that "Arcules is a fully compliant GDPR company"
  • Arcules CEO legal action threat
  • Problems at Arcules

'Security ******'

******** ******* ******** **** ****** **** IPVM **** ********* *** *********. *** key ****** **** ** ******* ******** were:

* **** **** ****. ** ******* integator *** ***** ** [********] ******* and ** ** ******* *********.

**** ** * ******** ****** ** their ***. ****** ** ** * bug ** ************.

**** ** * ******** ****** ** [REDACTED] ******** ** ***** **** * bug ** *** ****. ****** ***** this ** * ****-***. **** *** need ** ****** **** ** *** on-prem ******** ****** *******.

** ********, ** ******* ******** **** that *** ********* *** **** ***** since *** ****'* **** *** *** capture *** ******* ********** ***** ***** by *******:

*** *** ***** *** *** ***** about *** ****** *** *** *** and ** ***** ** *********** *** nothing *** ******** ***** **** ** the *** *****.

CEO ******** *** ******* ***********

***** ** ******** ******* *** **** we ******** **** ************* *** ****** we ********* **** ****,******* *** ********* *** *** ******** post** *** *****:

IPVM Image

*** **** ********* ***** **** ******** was **** ******* **** ** ******** information *** **** *********:

** ** *****, ***** * **** thorough *** ******** ******** *************, ** know **** ** ** ***** *** any ******** *********** **** ********* ** unauthorized *****, *** ** ***** ****, camera, *******, ** ***** *********** *** accessed, ****, ** *********.

** ** ***** **** ******* **** Arcules ********** ***** ** ********** *** that *** *** **** *** **** integrator ****** ****** ***** ******* *******. What ** ******* ** **** *** impact ** ** ******* ********** ***** added ** ** *** ****'* ******* is.

** ***** ******* ** *******, ******* simply *********, "** ******* ********** ***** not **** ******".

**** ******* ** ***** ** ******* future **** ****** ** ******* **** the ******* ******* ****:

** ***'* ******** *** ******** ******** processes, ****** ** *** **** ** adjusted *** ******** ******* **** **** rise ** *** ******* ******

VSaaS ******** ******** ********

**** ** * *********** ******** ******* with ***** ********* - *** ** they ****** **** ***** *********, ********, others, ***. ** *** *** ****** to * ******** ******* **** *** VSaaS ********?

** ** ********** ********* **** *****. It ** ************* ********** *** *********, as ** *******, ** **** ****** access ** * ********'* ******** ****** for *** ****** ****** **** ********* does *** **** ****** ** **** systems. **** ** * ********** '*** to *** ****' *********, ** ** just *** ********.

**** *******, ******* ** ** ******* or ***** *** ** ******* ** Verkada, ***., **** ** * ******* concern. *******, ** **********, **** ******** access ** ***** ********'* ***** ************ system ********* ******** ****** **** ***** local **** ******** (***** ***** ********** or ******* *** **-****).

** ******* *** ********** ** *********** allow ** **********, ** ********, * random **********, ***. ****** ** * customer's *******. ******* *** ***** ************ but ** ** *** **** ***** how **** *** ******** **** **** does *** ******.

** *** ** ** ** ***** for *** ***** ********* *** ********** for **********-******* **** **** ******* ***** their ********* *** *** ***** ** shrug ********* *** *** "* ***'* care ** *** *** ** ** my *********".

False **** *****

*********** *** *******,******* ***'* ******** *********** ******:

IPVM Image

**** ** ********** ****** *** ************* in *** **** ****** ** ******* CEO '********* *** *****'.

** *** ****, ******* **** ***** their **** ****** ** *** ** Cloud **** ** ******* *** **** cannot ** *** ***** ** **** GDPR **********. ******* ******** ** **** to **:

******* ** ********* **** *** ************ under ****.** **** ******* ******** ********, *********, and ********** **** ***** ******* ******* of ****.** *** ******* ** ****** *** GDPR ** *** ******* **** ********** Regulation (****) ********** **** ************* *** members ** * **** ** *******. Arcules ** * ****** ** *** EU ***** **** ** ******* *** recognizes ** **** *** **** ******* fully *********.

***** ******* ****** **** *** ** Cloud **** ** ******* **** *** make ******* * '***** ********* **** company' ** ** ******, **** ****? We ***** ******* **** ** * follow-up ******* *** **** *** *** no ********.

******,***** ******, *** ************ **** **** **** Code ** ******* ***** **** ****'* Charles ****** **** ****, ********** **** this ** *****:

** ********* *** ****, *** ******* speaking **'* *** *******. ** ***** be * ******* ** *** **** companies **** ****** ** *** *** are ************* **** *********. **** ** CoC, **** *** *********** ********** [** the ****] ** **** ** ***** services ** **********. *** *** ***** company.

********, ************** ********* ******* *** ** **** of ******** **** ***,******* *** *** ********* **** *** provisional ********** **** **** *****.

*** **** *** *** ***** * company **** ******* ************ *** ***** but ***** * ******* ***** ***** about ****? *** **** ***** ************* does **** ***** ** ****** *** trusted ******* ***** **** **** **** fully **** *********?

Legal ****** ******

****** *** ****, ******* *** ********** to *** **:

*** *********** ** ******* ** ******* confidential *********** ***** ** ********* ** Arcules *** *** *********, *** ** would **** ** ********* ** **** legal ******.

** ***** ** ********* * **** week ****** **********:

*** ***** **** *** *********** *** obtained / ****** ** **** ********, not **. *** ** ** *** have *** *************** ** ***-********** ********* with **** *******. **** ** *** doing **** ** ******** **********. ** you ******, **** * ********* *** immediately **** ** * ***** *** desist ****** ** **** ********* *** clarify **** ******* *** *** ****** this ***** ******* **.

***** *** ** ******* ******** **** Arcules. *** ***** *** ****** ** grounds *** **** * ******. **** most ********* ** *** ****** ******* does *** ********** **** ** ******* thinks **** *** * ****** ***** tactic ******* **.

Problems ** *******

** ******, **** ** **** *** most ****** ** ******* ******** ******* have ***, ** *** ********* ********* to ******* ** *** **** ****:

IPVM Image

********** *** *** *********** ********** ********, **** **** *** / **** ** ***** last *****. ***, ** **** **** *****, various ******* ********* *** **-********* *** frustrated **** ******.

** ** *** * *** **********. Arcules ** *** '*****' ** ***** and *********, ** ** *** *** the ********, ********* *** ***** * 'startup' ***** ****. ***, ***, ** struggles.

** ***** ***** ***** *** ********* will ****** **** *** *** ***, as ** ******, ******* ** *** year,******* ** ******* ******** *** ********* too, ** ** ** ************ ******** the ***** '******' **** ****** ***.

Comments (18)

FWIW, this is exactly the kind of scenario I was alluding to in my post on the "Most Secure Way To Remotely View Cameras" discussion.

Cloud systems offer a lot of utility, and for many users may be more secure than what that user could implement on their own, but they still have the inherent risk that you are trusting the operator to be smarter than you are. (or, at least as smart as you).

Agree: 9
Disagree
Informative: 2
Unhelpful
Funny

That's a good point. So Arcules or Hikvision Hik-Connect? Which cloud service do you trust more? :)

On a more serious note, I do think all cloud video surveillance providers are going to have to seriously define their process / procedures for allowing access to accounts / users. You will still need to trust that what they are saying is truthful / correct but at least it provides shows some thought / attempt to restrict access.

Agree: 11
Disagree
Informative
Unhelpful
Funny

That's a good point. So Arcules or Hikvision Hik-Connect? Which cloud service do you trust more? :)

Neither. If you provide access to your data to a third party it cannot be inherently secure. In using cloud services it is probably best to assume that someone else is looking at your data.

Agree: 3
Disagree
Informative
Unhelpful
Funny

VSaaS Specific Security Concerns

I wonder how other VSaaS providers are dealing with this.

Agree: 5
Disagree
Informative
Unhelpful
Funny

#2, we will be including this question / topic in future VSaaS tests and reporting, thanks.

Agree: 2
Disagree
Informative
Unhelpful
Funny

I'm looking forward to the release.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Irony: In the same LinkedIn post that Arcules CEO is touting being 'open' and transparent', he disables comments:

While comments can be painful for authors to deal with, exposing oneself to comments makes one's thoughts and writing be sharper since you have to contend with pushback and counterarguments.

Agree: 3
Disagree
Informative
Unhelpful
Funny: 2

Was it a random integraor added to the account? or someone that was related to the project but was not supposed to be added?

Agree: 2
Disagree
Informative
Unhelpful
Funny

I don't know who the integrator was or how they were related [or not] to the customer, just that the customer strongly objected to them being added and viewed it as a security breach.

Agree
Disagree
Informative
Unhelpful
Funny

Such wonderful spin from Andreas. It's the good old "WE are the victim here" sob-story. Painting the employee as a snitch with some ulterior motive is just the icing on the cake.

I have no reason to believe that Arcules is any better or worse than anyone else in their handling of account access. They're probably better than Amazon and their Ring team in Ukraine, but that's an extreme example - and evidently most people don't really care. I think you'll find that this is the case here as well.

In principle, the employee is correct - it's a security hole that Arcules employees autonomously can add user accounts (w/o logging it!). They can probably watch the cameras as well (probably w/o having to create a user account on their customers system). The question many users are asking is this: So what?

I think we're sometimes overestimating the value of good and robust security to the regular users, and we're inflating the importance of it. Only to then be using it to beat each other over the head. All the while making all sorts of unreasonable assumptions about motives and completely ignoring Hanlon's razor.

This posturing can be confusing to honest employees, who thinks the companies are being serious. The employee then discovers a security hole, and to their surprise, she is met with shrugs and meh's... under pressure from the customer and with no support from the company, the poor fella reaches out to John, and now everyone is a suspect that person is probably not working there anymore.

To be sure, there are cases where security plays a major role, but surely no-one who takes security seriously would use a VSaaS solution, or even consider expose their VMS/NVR/DVR directly to the Internet.

I'm guessing that the whistleblower, snitch, rat, whatever you want to call him/her is OK with being identified (to Arcules). I hope that's the case, otherwise it's pretty clear that IPVM is not the place to share such knowledge.

Agree: 1
Disagree: 1
Informative: 2
Unhelpful: 1
Funny

surely no-one who takes security seriously would use a VSaaS solution, or even consider expose their VMS/NVR/DVR directly to the Internet.

That's not correct. From their internal messages, I saw 2 large companies that are household names and another that was a serious financial firm that was using (or at least piloting) Arcules.

So while I agree with you about most Ring customers not caring about the Ring / Ukraine security incident, Arcules is going after large and sophisticated customers that definitely care.

To your point, though, I was surprised these customers would even consider Arcules, given their overall issues and general risks of putting cloud-connected devices inside their enterprises. That said, Arcules has a lot of money and connections via Milestone. The question becomes can Arcules close / take over such accounts.

Agree: 2
Disagree
Informative: 3
Unhelpful
Funny

surely no-one who takes security seriously

Added emphasis. Just because you're big does not mean you take it seriously.

Evidence?

List of data breaches - Wikipedia

Agree: 2
Disagree: 1
Informative
Unhelpful
Funny

Just because you're big does not mean you take it seriously

Lol, these companies believe they take it seriously. Now whether they do or meet your definition of 'seriousness' is another question.

But their reaction to this integrator being added to the account shows a much higher level of seriousness than your average Ring customer, perhaps we can agree on that?

Agree: 1
Disagree
Informative
Unhelpful
Funny

I'll agree that THIS customer took it seriously, and Arcules (seemingly) didn't - hence it escalated. Since I haven't seen the emails, I don't know how hard the whistleblower pushed for escalation, but it seems to me that reaching out to you was the last resort and so here we are. Ring users have little recourse against Amazon, and there's probably a stipulation buried in the 100 page EULA about this sort of thing.

I'll agree they take it seriously, but in weird way; Like if I was "serious" about my health by reading a lot of articles about the consequences of a bad lifestyle and worrying a lot, but never actually exercising and living on a diet of donuts, coffee and fried chicken.

I expect the guy at the counter will tell you that fried chicken is not actually bad for you, and reminisce about his great granddad who ate a bucket of chicken every day, smoked 20 unfiltered cigarettes a day and lived to be 110 (he probably also worked in an asbestos factory since the tender age of 9).

Sure, I am exaggerating here, and so the question is - can an end user reasonably expect a secure VSaaS system, which - obviously - entails defining what "secure" means.

I think, in principle, it can be done - and with a level that even I would consider safe, so I don't blame the clients for assuming that Arcules has actually done it, and then wondering how on earth Arculess (which is how I will spell it from now on) staff was able to add some random user to their account. That sort of thing just smells bad. Like when the authorities find a rotten, molded piece of meat in the fridge of a restaurant, and the owner (predictably) says "that was a one-time incident, and we cleaned it right up within 10 minutes!".

I guess having thought about it a little longer, I'll say this: I think there's a case for VSaaS even for companies that are serious about security. The question is - how do you prove that a VSaaS solution is secure without making the code publicly available?

Agree
Disagree
Informative: 2
Unhelpful
Funny

What a shame. Some rules for professional VaaS/SaaS solutions:

The provider has no access to any customer related data or configurations.

A customer’s administrator has no access to it‘s own (video) content. Even a provider‘s administrator has no access to it (we use end to end encryption).

Any event/configuration/accident has to be documented in a protected protocol. A manipulation of this protocol has to be prevented or documentated (we use a blockchain).

These and several more rules prevent professional service providers from loosing confidence from the customers. And they are according to well known data protection and data security laws and rules. A cloud solution consists of a technical and a psychology part. Both is missing her.

Frank

Agree: 3
Disagree
Informative: 3
Unhelpful
Funny

I was selling network security in 1993 when "network security" was a packet filter on a router. At that time very few people had access to any WAN resources. That dynamic has shifted dramatically. The problem is not VSaaS security per se, it is that other companies that rely on VSaaS may not be as picky about security protocol as you are. For example, I still see people with their login information on a sticky note on their computer. I see people that are casual about the applications they download to their cellphones. The issue with VSaaS is a similar issue with security in an IoT environment, the more people that have access to a network resource, the more insecure it is. Home Depot and Target were hacked because a 3rd party heating and A/C technicians downloaded malware to their PCs. That malware jumped from wireless thermostats to the computer network. in the past few months I have spoken with many integrators that, in their quest for recurring revenue, are pushing cloud solutions like Arcules. I am not suggesting that VSaaS offering should never be considered. What I am suggesting is that it is a decision that should not be taken lightly. The security risks are not negligible and integrators would do well to cover risks and security strategies with their clients.

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

Update: Arcules has removed its false GDPR claim, changing the text to a much more qualified / limited claim:

Agree
Disagree
Informative: 2
Unhelpful
Funny

Agree
Disagree
Informative
Unhelpful
Funny: 2
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports