Screw-up: Vivint Cloud Video

By John Honovich, Published Feb 11, 2013, 12:00am EST (Info+)

Who can see your cloud stored video? For at least one Vivint customer, the answer is complete strangers. An ongoing concerns of cloud-based surveillance is privacy and security protections in place to prevent unauthorized viewing. In this note, we take a look at one example where 'remote video' went wrong, the questions it raised, and what alternatives avoid the problem.

Vivint's Mistake

*** ****** ***** ******* *** ******** a '****** *****' ******** *********** **** ** ****** into *** ***** ******* *** ******** video *****. ******* ** ***** ********* for *** ** **** **** ******** recorded ** ******* **** ***** ****'* accounts. *** *** ***** ******** ***** for **** *******:

**** ****** *** ***** ** ******* of *** '***', ********** ** ******* Vivint ***** ******** ********* ** *** fact **** ****** *** *** **** his ****** ** *********:

** ***** ** ********, **** ***** ranks ***** *** ***** ******** ******** a ***** ******** *** ****. ***** the **** ***** ** *** ******* appears ** ** ********* *** *** malicious, *** **** *** ***** ******** at *** ********* *********** ************ ** how ******'* '*****' ******* *** *****.

Widespread *******?

** *** ****, ****** ****** "**** is *** ***** **** ** ***** like **** *** **** ********" *** is ************* *** ***** ** ******. Regardless ** *** ********** **** ********** issue ******, *** ******** ******** ** the **** *** **** ******** ** the *********, *** **** ********** ** Vivint's ********.

****** ****** ** ******, *** ******** explains **** ** *** ************ *** camera ** ******* ***** *****, ***** Vivint "*** ****** *** **** * [service] ********" *** ** **** "***** pay *** * ******** ******* ** cannot *****". ***** ************** ** ****, this ******** ** ****** **** **********'* ****** ******** ******* ************* *** ****** ******** ** ******* that********** ******** *****-**** ********** ************* ******** ***** *********** *********.

VSaaS ****

***** '******'******* ******* ******** **** ************* ***** ******** **** ****** ** 'bank-grade **********' *** '********** **** ** your ********', ** ******* ** ******** risk ** **** *****-***** *********. ** the ********* ***** *******, **** ******** protected ******** *** ********* *** *********** and ***** '****' ***** ** ** seen ** ******.

***** **** ******-****** ******, ******* ********* and ************** ******* ****** **** (*** periodically *** **** *******) ********** ** recorded ***** *** ******** ****. ** terms ** ******* *******, ***************, *** maintenance ****** '****** ******' ***** **** no ***** **** ** ***% ****** from ***** ****** ** ******. **** when **** * '*********' *****, *** risk ** ************ ******* *** ** a **** ******* *** ***** - often ********* ** **** ****-********/************ ************.

************

**** ********* ****** ** ***** *** risk ** ********** **** *** ***** by ****** ******** ***** ********. ****** withhold ******* ************* ** *** ********* until ******* *** ******** ** ****** video *** ** ********** ******* - something **** ** *** ** ********. Until *** ****, ** ****** ********* based ****, *** ******* *** **********, and ***** *** ******* ** ****** the ********* ****** *** **** *** users. "****** *************" ** ***** ** becoming ************ **** ********* **** **** the **** ******** ********* ** *** recorded ***** ******.

Comments (15)

This sounds like a problem that was not caught in QA, as in a call was made to the database and pulled up the record of a different user, etc. Maybe it was a software bug or an issue with manual account adjustment, etc.

Does anyone know who Vivint is sourcing their cloud video software from?

Can you identify anyone using these recordings? It seems to me, that the compression is so brutal that all detail is lost. The recordings only tell you that a human being broke in. Something you might have deduced otherwise.

You have to assume it's an SD camera, maybe recorded at CIF resolution and at a low quality level to reduce bandwidth and storage costs. Welcome to the wonderful world of cloud surveillance!

Btw, that would make a great Vivint defense: "But the quality is so bad you can't make out any personal details anyway."

Your account having "bank-grade encryption" and being accessible "only by your password" is quite irrelevant when the service itself is delivering someone else's video into your account...

If I had to guess I think the guy in the video is forgeting to disable his alarm system when he's going to get a midnight snack. Sounder starts to beep when he hits the motion sensor hence the weird sprinting across the room to disarm the key pad. I'm clearly missing the point of this post though.

Jacob, Yes, you are missing the point.

The guy in the video is being shown to some other guy completely unrelated to him. That's the security issue - sharing video with 3rd parties. It has nothing to do with false alarms.

Yes I was aware of the real issue I was just kidding about missing the point. I was just offering a suggestion as to why this guy and gal might be randomly running across the room even though it is clearly not the point of the post. My bad.

Well if this is where Vivint's CEO get's his Industry Trends and Insights from a trade magazine why would we expect them as a company to be connected to have insights into issues with their customers?

RreaDerShIP getS reSultS…

I’ve been reading SDM for the seven years I’ve been at Vivint. The information provided in SDM’s articles have been invaluable tools for keeping up with industry trends, assessing competitive dynamics, and spurring key strategic discussions… The content of SDM’s monthly magazine and special reports provide insightful snapshots of our ever-changing industry.
— Alex Dunn, COO, Vivint Inc.

From SDM Advertiser Promo

RE: SDM/Vivint: In fairness, one hand washes the other.

touché

I think Vivint is selling the Alarm.com video platform. (At least untill they build their own with the funds they got from the PE group.)

Anyone have experience with this?

Security vulnerabilities, including unauthorized access, are due to flaws in design, development, and QA, no matter the technology. HW and SW are designed by humans. VSaaS is no more vulnerable than DVRs or NVRs.

More Than A Dozen Brands Of Security Camera Systems Vulnerable To Hacker Hijacking

Popular Surveillance Cameras Open to Hackers, Researcher Says | WIRED

In fact, one could easily argue that a well designed VSaaS can be much more secure than a NVR or DVR. Some may even believe that a hosted service understands the broader range of threats and designs to the latest security trends and threats. At least our cloud services allows us to not only update security on our cloud service but push out software updates to our cameras, not requiring users to manage firmware updates.

Since gaining the trust of the early majority with newer technologies is a challenge, an OEM's reputation and brand can accelerate adoption. In the case of VSaaS, the reputation of security in the DNA of an OEM/service provider can boost customer confidence in the technology, so the discussion can then shift to value.

Our company, Third Iris (dba VIAAS and CudaEye), encrypts and digitally signs the images and video as they are recorded. Video and images remain encrypted while uploaded to our servers encrypted, and remain encrypted while stored on our server. Is anything perfect? No, including DVR and NVR solutions, but we understand network security, next generation firewalls and web application firewall technologies along with how to encrypt your data. Our cameras and service also do not rely on the installer to ensure the security of the camera or video.

If a prospective customer does not use a bank that stores their financial and personal data on computers and servers, then VSaaS is not the solution for that specific customer, nor any IP camera, most DVRs and probably all NVRs. However, if a customer is seeking value, then VSaaS may be a viable solution.

That's far too sweeping on a statement: "VSaaS is no more vulnerable than DVRs or NVRs."

For instance, it's a fact that if I use your service, someone within your company can absolutely look at my video. You can set rules, restrictions, etc. but if your developers want, it's certainly something they can access.

And comparing it to a bank's security is absurd. Both uses computers and networks but the average startup VSaaS provider is far less mature and secure than the average bank. If you think it's the same, why don't you store your financial information and assets in Vivint's cloud video system?

Totally have to agree with John here. "...one could easily argue that a well designed VSaaS can be much more secure than a NVR or DVR" is a bit of a stretch - yeah, maybe if you keep your DVR sitting outside on your front porch.

Fact of the matter is, with my own DVR/NVR, HOW secure it is, is entirely under MY control.

I've seen something similar to the "glitch" shown in the article: a drive crash in my computer and subsequent CHKDSK led to thousands of cross-linked files on the hard drive - opening one file would usually result in a completely different file's contents being displayed... or the right image would display, but only part of it... or in some cases, videos would start playing one thing and then switch to completely different content, much like the article shows.

Now I don't know what the underlying cause was of the glitch in this article, but suffice to say, if you end up with cross-linked files like that, it really doesn't matter whether the user's connection to the cloud is heavily encrypted or not - the service itself is sending the wrong video over that encrypted connection, and that's not acceptable.

If I'm running my own DVR and that happens, the worst that happens is that I can't view some video, or at least can't search it properly; it doesn't allow someone else to inadvertently view it when they think they're looking at their own video.

I am not saying that every VSaaS solution is more secure, but it is not necessarily less secure. You don't need to leave your DVR on the porch, apparently only attached to a network.

"Eighteen brands of security camera digital video recorders (DVRs) are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company’s firewall, according to tests by two security researchers." -Forbes 1/28/2013

Public cloud services offered by startups are trusted by many businesses with highly confidential proprietary information, from Fortune 500 to SMBs. Consumers already use cloud services and storage for financial data, PII, videos and images. As I previously stated (or at least tried to imply), trust is important in the adoption of new technologies, including VSaaS, so the original story certainly doesn't help the adoption of VSaaS.

I am not trying to make the case that VSaaS is the solution for every customer, hence "may be a viable solution".

John, I apologize for not being clearer. Restated: "Not all VSaaS solutions are more vulnerable than DVRs or NVRs to data breaches or hacks." While I will not publicly discuss the details of our database, architecture and security, I would be glad to discuss this further at or after ISC West. My other role is with an industry leading network security and data protection company that protects some of the largest banks in the world, government organizations and carriers, so I have experience outside of VSaaS with network and infrastructure security. By the way, it is possible for a customer to provide a self-issued encryption keys when "100% exempt from being viewed by others" is a requirement, depending on the VSaaS solution. I definitely appreciate this thread to understand real concerns and perceived weaknesses, thank you.

Matt, We don't run our services and database on a personal computer, just millions iPods. :) Actually, our newest implementation is with a scalable multi-master database with no single points of failure on geographically separated, highly redundant servers.

I hope everyone has a good Friday with at least an occasional smile. :)

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports