Insider Attack on Home Surveillance Systems

No one who reads this blog regularly will be surprised:

A former employee of prominent home security company ADT has admitted that he hacked into the surveillance feeds of dozens of customer homes, doing so primarily to spy on naked women or to leer at unsuspecting couples while they had sex.

[…]

Authorities say that the IT technician “took note of which homes had attractive women, then repeatedly logged into these customers’ accounts in order to view their footage for sexual gratification.” He did this by adding his personal email address to customer accounts, which ultimately hooked him into “real-time access to the video feeds from their homes.”

Slashdot thread.

Posted on January 25, 2021 at 9:33 AM29 Comments

Comments

Winter January 25, 2021 10:12 AM

Is there any other thing to respond than:

Two things are infinite: the universe and human stupidity; and I’m not sure about th’universe!

(I specifically include all of the customers, the technician, and the company BoD in this quote)

notnonymous January 25, 2021 10:17 AM

Here’s a question:

He watched people and violated their privacy. If you tell them they have little if any recourse (other than getting rid of the ADP system, it’s not like you’ll sue them and get a lot of money).

If you don’t tell them, are they any worse off?

Now it’s complicated by the fact that this is public news, so I would say if someone who is affected asks they definitely should be told the truth.

But is there a moral or ethical imperative to inform people of violated privacy if the privacy was violated in a way that doesn’t result in a material loss?

I’m pro privacy, but I don’t think I can articulate a clear argument on this, can anyone else?

Etienne January 25, 2021 11:14 AM

Anyone who puts a camera in their bedroom or shower, is what we call in the industry, an accomplice.

Just say no to inappropriate technology.

JonKnowsNothing January 25, 2021 11:41 AM

@notnonymous @All

re: General Privacy vs Body Privacy

This is an area often referred to as “UpSkirting”. It’s making more than one round in court cases and the results are varied.

The question is: What part of your body is “private”.

You face is not private. Pictures, group photos, face to face interactions all make your face Not Private. This is one of the legal legs for Face Detection and Face ID and Face Recognition systems.

Your body is not private if you are in a public location. Sitting in on a bus or train or movie house etc. Your body is in a public area. Therefore all parts of your body are public. Cameras taped to the top of shoes or smartphones with live feed video “accidentally” set on the floor facing up a person’s kilt or skirt is being legally challenged but currently legally OK in many countries.

Toileting, Showering etc may also be public if the peephole camera is installed in a common access area. There are a many cases of employers installing peephole cameras in showers, locker rooms, toilet cubbies with varying degrees of legal acceptance or rejection.

Revenge Porn is a current theme making the legal circuit. Both consensual and non-consensual sex tapes created for personal or public gratification. What is and isn’t private if you shared it with your partner?

It depends also on what else the Tech did with the views. Some views are illegal no matter how they are produced or obtained. Possession alone is illegal.

There is more than one standard besides Material Loss: Reputation Damages cases are not uncommon.

There is one in progress about the public publication of a “private” letter where the recipient allowed portions of the letter to be printed in the news media. Those portions written by the sender were not very complimentary to the recipient. The sender is well known, well heeled, and suing for daylight for wrongful publication of a private correspondence.

There is always a recourse through the courts. There are criminal and civil actions. They are not always successful and often times “the one with the most money wins”.

ht tps://en.wikipedia.org/wiki/Upskirt
ht tps://en.wikipedia.org/wiki/Bollea_v._Gawker
ht tps://en.wikipedia.org/wiki/Peter_Thiel
(url fractured to prevent autorun)

Gaessup January 25, 2021 12:05 PM

@Etienne

+1

we all swim in an ocean of people during our lives and not all can be trusted.

Private an government organizations cannot possibly monitor/control their people 100% of the time.

Basic cautions should always be active in dealing with outside agencies.
Awareness of new technology risks is optional– so is your personal security.

Someone January 25, 2021 1:22 PM

One more insider job: names, addresses, social security numbers of people getting a Covid test collected & traded by employees working at the agency responsible for registering these tests.

In Dutch: RTL: Privégegevens van miljoenen Nederlanders uit systemen GGD worden illegaal op internet verhandeld
https://www.volkskrant.nl/a-b574674c

Jesse Thompson January 25, 2021 2:02 PM

So wait, we’re saying that this is a bad thing?

If this were Instagram or Onlyfans the activity in question would increase the engagement metric, or something. “All publicity is good publicity” etc, for The Brave New World™ we live in where everybody is an “influencer”.

Maybe the complaint is that Employee was running an ad blocker so that their voyeurism couldn’t be as readily monitized? I recall that that was the primary pushback during LOVEINT, for example.

This post brought to you by the punctuation mark /, and the letter s.

Bruce Schneier January 25, 2021 2:15 PM

@Maxie:

“This is just puritan propaganda. The list of spying crimes committed by the US government and its private accomplices is endless and yet this case is somehow “newsworthy’…”

Embrace the power of “and.” The myriad of spying — both legal and illegal — committed by the US government and US corporations is certainly newsworthy, and covered in this blog. And also, this particular insider attack against a surveillance system is newsworthy.

Clive Robinson January 25, 2021 3:31 PM

@ Winter,

Is there any other thing to respond than:

Sadly yes the needs of “human gratification” and “poor inpulse control”…

Which derive we are told by anthropologists and others from primary evolutionary drivers in what came long before the “lizard brain”. That is

1, To survive (long enough)
2, To pass on genetic traits.

Which has been crudely refrenced in the past via an expression that describes the primary needs a little more succinctly, as “To forage and f&&k”.

Which leaves the question of “Why the poor impulse control?”

Well “Human Stupidity” is one way to put it but it boils down to “deficient risk analysis”.

One asspect of which is the downside risk often raises to some power of the number of times you carry out an activity. That is each activity has muliple risks and some are orthagonal to each other. That is time increases linearly with each act, but when more than one target is selected the correlation factor rises as well which is independent of time.

Often it’s the correlation factor that causes criminals to get caught as it alows information that might otherwise not be obvious from a single event to come to the forefront of investigators attention (what investigators call an M.O.).

Anonymous Mouse January 25, 2021 3:54 PM

@Etienne @Clive @all_others

“Anyone who puts a camera in their bedroom or shower, is what we call in the industry, an accomplice.

Just say no to inappropriate technology.”

Do you have a laptop? Do you use it in your bedroom?
Do you have a smartphone? Do you use it in your bedroom?
If yes, ALL those have cameras that can be accessed remotely.

You don’t need to install home surveillance system to have a camera. Your home already has multiple cameras in the form of smartphones and laptops. Already old and known “security” problem.

h t t ps://arstechnica.com/tech-policy/2013/03/rat-breeders-meet-the-men-who-spy-on-women-through-their-webcams/

JonKnowsNothing January 25, 2021 5:18 PM

@Clive @Winter @All

re: Poor Risk Analysis

Humans are “gullible”, meaning “trusting” or “overly trusting”.

In archaic times, one might spot the lion or leopard before getting eaten, but a good predator hides until the last moment.

Corporations, Governments, Social Groups take advantage of this trust aspect to provide items labeled for “security” that provide no security at all.

The couple swaving their guns at protestors, clearly fearful, the crowd sensing their fear and thought processes in lizard-mode thought their guns would secure their persons and they did not.

Security cameras, security gates, security drive-around; the entire home-security business, is based on unhinging rational thought and invoking “poor impulse control” which means a sale, salary, bonuses.

It provides only a “sense of security” and no “real security”. It’s security theater. This theater continues with monthly fees, and contracts as long as the target does not realize “it doesn’t do anything at all”.

There are some services that do provide benefits such as daily phone checkups, a one button Call for Help pendant and devices that allow true safety monitoring.

A not uncommon problem in care homes is abuse or mistreatment of the persons living there. Poor food, poor physical treatment, poor hygiene, poor mental health-stimulation along with outright criminal abuse.

There are a number of reports about families installing secret cameras inside the rooms to document what sort of treatment their relatives are getting. Generally after some indication of abuse and a denial from management or the supervisor.

Sadly, it is often discovered that abuse, physical and sexual does take place along with food denial.

In the USA our HIPA laws can make these installations illegal, even if they are intended to protect the resident. These are the same laws, currently used to restrict data and information about COVID-19 pandemic in the USA.

So, people may install them anyway because in the end, it is the resident that is the victim, not the care home, though these may be deemed illegal applications.

Even the most diligent of families, does not know what happens after their 30 minute monthly visit (pre-COVID). The box of items or clothing or gifts or commissary funds or items of value disappear. All put down to “forgetfulness” but the video shows the theft and the nightly attacks.

ht tps://en.wikipedia.org/wiki/Gullibility

Gullibility is a failure of social intelligence in which a person is easily tricked or manipulated into an ill-advised course of action. It is closely related to credulity, which is the tendency to believe unlikely propositions that are unsupported by evidence.

ht tps://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
(url fractured to prevent autorun)

Clive Robinson January 25, 2021 5:39 PM

@ Anonymous Mouse, ALL

Do you have a laptop? Do you use it in your bedroom? Do you have a smartphone? Do you use it in your bedroom? If yes, ALL those have cameras that can be accessed remotely.

Whilst the answer is “yes” I’m more than aware of the issue.

None of the computers in my home connect to the Internet, firstly because I do not have an externally connected network and secondly I’ve built and installed “reed relay” disconnects into all the cables before they go into the “switch” so whilst PoE etc still works the primary TX and RX pairs are disconnected unless the reed relays are energized, which require the “user” to press a button every 1/2 hour or they time out and get de-energized.

Likewise I don’t ever use the cameras or built in microphones in computers and either they are not installed or have been disconected in the laptops as has the WiFi. Also the camera lense has a form of “soft glue” over it (like a cross between bath sealant and hot glue) as do the microphone sockets.

As for a smart phone, you can buy rather nice leather cases for them it takes very little in the way of “craft skills” other than “neatness” to modify them such that the camera lenses are covered either permanently or with a little more in the way of craft skills with an atractive flap.

What few realise is that you don’t need the internal microphones (please note plural) you just plug in an external set of ear buds and microphone and put a “press to talk” button in the lead.

Admittedly the “fettish” for glued or sealed cases makes disconecting the internal microphones harder, but whilst you are at it putting a real “power off” slide switch in the battery lead can be done at the same time.

As I said these modifications require a modicum of craftskills and a good deal of neatness. With care most of them can be reversed with little difficulty thus keeping the resale value in the items (not that it’s generally worth bothering about as tech depreciates around the same speed rocks fall to earth 🙁

@ ALL,

To many of us make the mistake of thinking “privacy comes for free” it does not. Sun glasses to cover part of your face, cost money, a hat to cover hair ears and some other features cost money, the cloths to cover your body cost money. The home you live in costs money, the solid door without windows or letter box costs money, the curtains or reflective tinting you add to the windows costs money, sound and IR/heat insulation costs money. As for other security measures the price goes up[1].

So consider this,

Having spent so much to obtain privacy why throw it away with IoT?

I sometimes wonder if such ubiquitous surveillance will be come so normalized that somebody would say,

“Hey Alexa, is this the the correct position according to Masters and Johnson?”

[1] A couple I know have a largish house with a combined study and bedroom on the ground floor. It’s way more study than it is bedroom. The reason is the bed lifts up like those that used to be put in small studio flats. The difference however is the bed when down covers a concealed trap door that has a flight of steps down to what is a large “panic room” that was a fall out shelter originally. As a panic room it came with more “mod cons” than it originally did, like a flushing loo, shower and kitchenette and even a pull down bed/settee that becomes a double bed. It’s like a small studio flat with enough room all be it a bit cramped for a family of five. It came with the house when they bought it. They don’t use it as a “panic room” but whilst “she who must be obeyed” gets the “study” he gets a combined “radio shack” and “electronics workshop” in the panic room along with a large flat screen TV etc. Yup his very own “man cave” and the door if you close it is nearly sound proof, so you can have the volume up as loud as you like, which annoys their kids as they have to keep the volume down in their rooms 😉 As he jokingly says “being the lord and master of the house hath privileges”. And yes before you ask quite a few people in London are “building under their houses” these days as it’s often the only way to get extra space, not all are panic rooms or fall out shelters, but if you build them right they will give you one heck of a lot of privacy.

JR January 25, 2021 6:57 PM

There’s more to this story. Under SEC and Texas State law, ADT needs to report this as a breach. I haven’t seen anything about how this person was caught. Was he installing cameras in locations where they shouldn’t have been and someone noticed a camera?

It sounds like ADT didn’t catch it, the FBI did. The big question is what technical and procedural controls will ADT now implement to ensure there’s no other rogue techs out there and also negate the ability for this to happen again? Monitoring and process could prevent this. I am more concerned about ADT’s commercial contracts, if field techs have the ability to do this. Think about the implications for a bank.

ilntoday. com/2019/07/texas-amends-data-breach-notification-law/

Winter January 26, 2021 12:16 AM

@Clive
“Well “Human Stupidity” is one way to put it but it boils down to “deficient risk analysis”.”

I see see stupidity as misapplied efficiency.

Pattern matching is cheap, thinking is expensive in time effort and error likelihood. So the efficient use of time and effort is to cache the results of thinking and learning results. Then you use these cached results when you recognize a problem or question (pattern matching).

Stupidly is when you do not realize when an existing answer does not apply.

In the case in hand the answer is “surveillance of my house makes it safe”. But it is not realized that surveillance of my body, accessible by others, is not.

Davide January 26, 2021 5:01 AM

Do you seriously install security cameras in bedrooms or other private rooms of the house? And let do this by the survelliance company? You miserable fools deserve this…

Hampton the Hampster January 26, 2021 5:44 AM

What surprised me somewhat was the fact that this guy doesn’t just leave traces but literally placarded his identity…

0Laf January 26, 2021 5:52 AM

I see a comment about your face not being private.

In the EU (and for now in the UK) your face can come under the term of personal information.
If you are the subject of a picture i.e. not in a crowd, then that picture is covered by the GDPR.

If any of the ADT customers were in the EU then (time of incident dependent) ADT might well be under investigation for a GDPR breach.

Clive Robinson January 26, 2021 5:57 AM

@ Davide,

Do you seriously install security cameras in bedrooms or other private rooms of the house?

Did you actually read the article?

Because some of these women have suffered physical abuse in other hones they have lived in.

The thing about abusers is sufficient of them are very plausible liers, and also know how to gurt people bot just with few physical signs if any, but as well as twisting arms they twist peoples brains and distort reality in the victims head as well as mental torture.

Try looking up the real meaning of “gas lighting” before it became a trendy put down or passive agressive tactic.

So some of these women have a very different outlook on life. They see the cameras not just as a deterant which they can be, but also as a way to gather evidence against their abusers they live in fear of them returning into their life.

There is a very real and valid reason we have stalking legislation. Ubfortunately way to many law enforcment personnel do not want to, or there superious actively discorage what they think are just petty “domestics” which is why some people turn up dead or just do not turn up at all.

So I can understand why they do put cameras in that feed to off-site storage especially if they have been given that extra special tourture of being dragged through a court case without hard evidence…

The real fault actually rests with the security company, who it would appear failed entirely to take even basic steps to protect the data feeds od their very vulnerable clients. Seeing them not as people but just “profit streams to be exploited” as much as possible as is “The Great American Way” in neo-con thinking with it’s “leave no money on the table” mantras.

Erdem Memisyazici January 26, 2021 10:13 AM

@notnonymous

Besides the obvious immorality and illegality you need an argument?

If a woman cheats on her husband and tells the husband that the child is his, does anybody have a moral imperative to inform the man?

If I rob a bank, make more money, then return the money to the bank, and nobody noticed. Did I not just rob a bank?

The answer is at least 1 person will know the truth, which will snowball into psychological and physical damage over time.

Paul January 26, 2021 12:50 PM

What I don’t often read is a for more serious aspect of these breaches, which is “over-the-camera” attacks on PINs, passwords, and other personal data.

If someone did this to me, these other security issues would be far more significant to me than whether they saw my privates.

And I have to think that coffee shop and restaurant security cams might be yet more valuable, and I’ve yet to see a press release on those systems being hacked.

Peter A. January 27, 2021 5:34 AM

@Norio: cameras do not prevent crimes. They may help solve crimes after the fact, sometimes. The situation of your friend would not likely be much better if she had a camera installed – the harm has been done, and there’s little comfort for her, if at all, if the perp got caught and punished (the court trial being an additional trauma). I doubt such a crook would run away if she told him there’s a camera – more likely he would destroy the camera and proceed.

Rather think about it: what’s the conditional probability of a camera deterring a violent perp on the condition that a violent crime happens at all versus what’s the probability of the footage of your private moments being misused, totally out of your control (unless you build your CCTV system yourself, and know exactly how to do it securely, which is hard).

Goat January 27, 2021 6:44 AM

@Peter Peter, the correct question to ask is “Why are employees bored?”

That said, in India they(taxation officials) don’t seem to… Don’t know about Americans.

vas pup January 27, 2021 5:48 PM

My nickel:

What company is next after ADT for the same unauthorized utilization of IoT: cameras, microphones?

My bet is on Comcast/Xfinity with their weird cable box which is roaring in the middle of the night being off or warm during the day time being off as well? Sounds familiar when your cell phone is warm being off as red flag that its features were activated without your knowledge? That is not sworn statement just educated observation.

Until NIST establish clear security/(privacy providing) requirements for IoTs manufacturers which will put YOU/USER in a total control, nothing changed.

@ALL: e.g. do we buy our phone in order to become subject of total observations by weirdos of all flavor? I guess NO.

And last but not least, if insider IT guy from the company can do this, there is zero doubt that either hackers (from inside or outside the country – the interest could me not only naked bodies) can do the same, and our own Big Brother as well.

Hello, ‘1984’ is already there. Snowden open our eyes on many things, but we prefer to ignore them sometimes.

Austin January 28, 2021 8:57 AM

I did an experiment with some really basic smart plugs and PoE security cameras at my home. I wanted the indoor cameras to shutoff whenever my wife or I were home and turn on when we were away. We don’t have an ‘alarm system’ per se and have no habit of turning something on/off when we come and go. The idea is for it to be automatic and noting the only need of an indoor camera was to verify an intruder is in your home when you are not there or to otherwise check on pets when you are away.
I setup a Power over Ethernet switch that powered and networked cameras inside my home and it was plugged into a smart outlet that could be toggled off and on remotely or from webhooks inside my network. Next I setup a crude python script that checked for presence of the mac address of my phone and my wife’s phones on our local wifi network. Whenever neither phone is connected, the smart outlet would power on the switch that powers the indoor cameras. Whenever either of our phones show up on the network the switch and cameras get powered off.
Despite my crude programming it actually worked much of the time. The script was the weak point but it basically worked…until Apple’s update that caused phones to give random mac addresses to wifi networks. I realize this can be solved in the iPhone settings but my script was hard coded and I just dropped it for lack of time.
I wish I had the time to further develop this concept. Let me know if someone else has or you have a better solution.

Austin January 28, 2021 9:12 AM

And for what it’s worth, in my experiment, the camera footage was only stored locally and the cameras only aimed at entrances. I would like to have a person recognition system that would send my phone stills of anyone that enters when neither of us are home but I don’t know how to do that securely and privately yet.
Police response times are incredibly faster if you can verify there is an intruder when you alarm system goes off. They face so many false alarms that it becomes low priority.

JonKnowsNothing January 28, 2021 9:44 AM

@Austin

re: I would like to have a person recognition system that would send my phone stills of anyone that enters when neither of us are home but I don’t know how to do that securely and privately yet.

You do not need the name the person intruding in your home, all you need to determine is that it is not someone you know directly or if you have authorized to enter (cleaning and repairs).

a, You Know The Person Y / N
b, The Person is Allowed Entry Y/ N
c, You Do Not Know The Person and They are Not Allowed Y / N

Putting a name to the image is the job of the police.

There are a lot of apps that connect to security cameras that will send images to your phone or email with alerts from the system. You can capture the image (screen shot) and notify the authorities.

Apropos of the topic, some systems install multiple cameras so you can capture the entire squad as they back up the furniture van to your house and proceed to take everything.

Quite common in California. No one calls the cops because your neighbors figure you are moving, which is also quite common in California.

Austin January 29, 2021 12:03 PM

@JonKnowsNothing

re: There are a lot of apps that connect to security cameras that will send images to your phone or email with alerts from the system. You can capture the image (screen shot) and notify the authorities.

I do agree I don’t need to know their name, just that its a person.

I had a system on my NAS that said it had person recognition like this during my test but even tuned to “notify if person only” it would not alert unless you looked right at the camera in decent lighting but on the next setting down it would send me alerts every time the lighting changed bc of clouds or the dog roaming around.
Even my neighbor’s eufy doorbell is the same way. If you know of something inexpensive or free that is good at this let me know.
Thanks!

JonKnowsNothing January 29, 2021 1:05 PM

@Austin

Hmmm, just occurred to me that you might actually need a broader definition of what you want to ID. In some locales, especially urban areas that are expanding into previously non-human habitat, a variety of non-humans make entry.

Bears are common intruders: beer and bacon. In the colder climates Polar Bears have been known to rip off doors and crash through windows. The locals have a bear patrol to monitor the bears since the bear migration route is through the middle of the town.

Deer can make entry and those living in the in deer country know it’s sometimes a losing proposition to keep them out of the area.

Skunks, raccoons are very fond of dog and cat food and have been known to make an entrance though pet-doors.

Increasingly, rattlesnakes are found as people push urbanization into that habitat. All sorts of escapee snakes from the pet trade in exotic pets have made themselves At Home in basements, attics, nooks and crannies.

There are “trail cameras” you might want to check. These are similar to the type of photo-capture systems used by biologists. They strap to a tree or post and use infrared or a laser trip to take the picture. For the wifi ones they will send it to your email or phone. For the non wifi ones you have to physically retrieve the media.

Similar systems are used for livestock. Especially the expensive kinds like race horses. They are chipped but also monitored while in pastures. Rustling is still a common activity in agricultural areas.

They backup a mobile slaughter van to the area. Herd in a group of their targeted animals. Then drive off. While they are heading down the highway, the back of the van team butchers the animals, wraps and packs the meat.

I doubt these are any more secure than any other camera, especially if it’s wifi enabled.

ht tps://en.wikipedia.org/wiki/Rattlesnake

The 36 known species of rattlesnakes have between 65 and 70 subspecies, all native to the Americas, ranging from southern Alberta, Saskatchewan, and southern British Columbia in Canada to central Argentina.

ht tps://en.wikipedia.org/wiki/Remote_camera
ht tps://en.wikipedia.org/wiki/Camera_trap

(url fractured to prevent autorun)

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.