Screw-up: Vivint Cloud Video

By: John Honovich, Published on Feb 11, 2013

Who can see your cloud stored video? For at least one Vivint customer, the answer is complete strangers. An ongoing concerns of cloud-based surveillance is privacy and security protections in place to prevent unauthorized viewing. In this note, we take a look at one example where 'remote video' went wrong, the questions it raised, and what alternatives avoid the problem.

Vivint's Mistake

The report below details the surprise a 'Vivint Video' customer experienced when he logged into his VSaaS account and reviewed video clips. Several of clips available for him to view were segments recorded by cameras from other user's accounts. See the video embedded below for more details:

This screen cap shows an example of the 'bug', consisting of another Vivint Video customer oblivious to the fact that others can see what his camera is recording:

In terms of mistakes, this gaffe ranks among the worst possible missteps a VSaaS provider can make. While the root cause of the problem appears to be technical and not malicious, the fact the event occurred at all indicates significant shortcomings in how Vivint's 'cloud' handles the video.

Widespread Problem?

In the clip, Vivint claims "this is the first time an event like this has been reported" and is investigating the issue in detail. Regardless of how widespread this particular issue proves, the customer detailed in the clip has been unnerved by the discovery, and lost confidence in Vivint's offering.

Adding insult to injury, the customer explains that he has repositioned his camera to disable their views, since Vivint "has locked him into a [service] contract" and he must "still pay for a security service he cannot trust". While unsatisfactory to most, this response is inline with both Vivint's sordid customer service reputation and the alarms industry in general that frequently requires multi-year monitoring contracts with punitive early termination penalties.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

VSaaS Risk

While 'hosted' service vendors downplay this situation from being possible with claims of 'bank-grade encryption' and 'accessible only by your password', it remains an inherent risk to most cloud-based platforms. As the situation above reveals, even password protected accounts and equipment can malfunction and allow 'your' video to be seen by others.

Aside from public-facing access, support engineers and administrators usually always have (and periodically may even require) visibility of recorded video and customer data. In terms of account support, troubleshooting, and maintenance having 'master access' means that no video data is 100% exempt from being viewed by others. Even when only a 'potential' issue, the risk of unauthorized viewing can be a deal breaker for VSaaS - often excluding it from high-security/surveillance applications.

Alternatives

Many customers choose to avoid the risk of situations like the above by simply avoiding VSaaS products. Others withhold serious consideration of the platforms until privacy and security of remote video can be absolutely assured - something that is not be possible. Until the time, we expect appliance based NVRs, VMS enabled NAS appliances, and small VMS servers to remain the preferred option for many end users. "Remote Accessibility" of video is becoming increasingly less difficult even with the full physical retention of all recorded video onsite.

Comments (15) : Members only. Login. or Join.

Related Reports

HTTPS / SSL Video Surveillance Usage Statistics on Apr 01, 2019
HTTPS / SSL / TLS usage has become commonplace for websites to improve security and, in particular, to help mitigate attackers reading or modifying...
Manufacturer Favorability Guide 2019 on Jun 12, 2019
The 259 page PDF guide may be downloaded inside by all IPVM members. It includes our manufacturer favorability rankings and individual...
Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...
'CCTV' Is the Past, Cloud Video Surveillance Is the Future on Jul 08, 2019
A fundamental shift is happening. For decades, video surveillance was overwhelmingly 'closed' and off the Internet. This is changing. More and more...
CheckMySystems Company Profile on Aug 14, 2019
CheckMySystems says that too many users respond, "I get an email when something is wrong" when talking about their video system maintenance plan,...
Axis Suffers Outage, Provides Postmortem on Aug 15, 2019
This week, Axis suffered an outage impacting their website and cloud services. Inside this note, we examined what happened, what was impacted...
3 Weeks Later, Honeywell Still Cannot Say Whether They Are Vulnerable To Dahua Wiretapping [Now Admits] on Aug 27, 2019
The Dahua wiretapping vulnerability and Dahua's decision to delay disclosing it until IPVM inquired underscored problems with cybersecurity and...
Remote Access (DDNS vs P2P vs VPN) Usage Statistics on Oct 25, 2019
Remote access can make systems more usable but also more vulnerable. How are integrators delivring remote access in 2019? How many are using...
Vunetrix Health Monitoring Company Profile on Nov 26, 2019
Vunetrix boasts that they make the integrators the 'HERO' by using Vunetrix's monitoring. We spoke to Vunetrix to better understand their...
Verkada Notification Outage on Dec 12, 2019
Verkada is suffering an event notification outage and analytic search failures. Inside, we examine what the issues are, what Verkada told IPVM...

Most Recent Industry Reports

Hanwha Wisenet X Plus PTRZ Tested on Feb 14, 2020
Hanwha has released their PTRZ camera, the Wisenet X Plus XNV-6081Z, claiming the "modular design allows for easy installation". We bought and...
PRC Warns Against China Video Surveillance Hacks, Hikvision Targeted on Feb 14, 2020
Hackers are targeting China video surveillance manufacturers and systems, according to the PRC's main cyber threat monitoring body. The hackers...
IPVM Conference 2020 on Feb 13, 2020
IPVM is excited to announce our 2020 conference. This is the first and only industry event that will be 100% sponsor-free. Like IPVM online, the...
Bosch Dropping Dahua on Feb 13, 2020
Bosch has confirmed to IPVM that it is in the process of dropping Dahua, over the next year, as both IP camera contract manufacturer and recorder...
BluB0X Alleges Lenel, S2, Software House Are Dinosaurs on Feb 13, 2020
BluB0X is running an ad campaign labeling Lenel, S2, Software House, Honeywell, AMAG and more as dinosaurs: In a follow-up email to IPVM,...
London Live Police Face Recognition Visited on Feb 13, 2020
London police have officially begun using live facial recognition in select areas of the UK capital, sparking significant controversy. IPVM...
Converged vs Dedicated Networks For Surveillance Tutorial on Feb 12, 2020
Use the existing network or deploy a new one? This is a critical choice in designing video surveillance systems. Though 'convergence' was a big...
Monitoreal "Completely Autonomous" Home AI Tested on Feb 12, 2020
Monitoreal claims to allow users to "see the things you want (people, vehicles, animals) and ignore the things you don’t”, using AI to distinguish...
Cisco Video Surveillance Is Dead, Long Live Cisco Meraki Video Surveillance on Feb 11, 2020
A dozen years ago much of the industry thought that Cisco was destined to dominate video surveillance. They stumbled repeatedly, failing. Now it is...
BICSI For IP Video Surveillance Guide on Feb 11, 2020
Spend enough time around networks and eventually someone will mention BICSI, the oft-referenced but only vaguely known standards body prevalent in...