{"id":8264,"date":"2021-03-10T12:00:00","date_gmt":"2021-03-10T12:00:00","guid":{"rendered":"http:\/\/ncjolt.org\/?p=8264"},"modified":"2021-03-08T23:44:39","modified_gmt":"2021-03-08T23:44:39","slug":"adt-security-company-fails-to-secure-homes-from-its-own-employees","status":"publish","type":"post","link":"https:\/\/journals.law.unc.edu\/ncjolt\/blogs\/adt-security-company-fails-to-secure-homes-from-its-own-employees\/","title":{"rendered":"ADT Security Company Fails to Secure Homes from its own Employees"},"content":{"rendered":"\n<p class=\"has-drop-cap\">The longstanding slogan of ADT security company, \u201cAlways There\u201d takes on new meaning, as former ADT employee, Telesforo Aviles, has pleaded guilty to accessing the home security feeds of over 200 customers for sexual gratification. Aviles, who was a technician for ADT, <a href=\"https:\/\/www.dallasnews.com\/news\/courts\/2021\/01\/21\/former-adt-technician-pleads-guilty-to-hacking-into-customers-home-security-video-feeds\/\">took advantage of a company policy<\/a> that allowed employees to add their emails to \u201cADT Pulse\u201d customer accounts for installation purposes. However, Aviles would not remove his email address from the accounts, giving him unchecked access to customers\u2019 video feeds without their knowledge. Aviles admitted that he \u201c<a href=\"https:\/\/www.justice.gov\/usao-ndtx\/pr\/adt-technician-pleads-guilty-hacking-home-security-footage\">took note of which homes had attractive women<\/a>\u201d and later accessed over 200 accounts for the purpose of sexual gratification. Recurrently, Aviles viewed the real-time video feeds \u201c<a href=\"https:\/\/www.justice.gov\/usao-ndtx\/pr\/adt-technician-pleads-guilty-hacking-home-security-footage\">of naked women and coupled engaging in sexual activity inside their homes<\/a>.\u201d\u00a0<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>\u201cCustomers paid a security firm for protections from outside threats, but unwittingly opened their home to internal security breaches.\u201d<\/p><\/blockquote>\n\n\n\n<p>Even more disturbing, Aviles continued his voyeurism undetected more than <a href=\"https:\/\/www.dallasnews.com\/news\/courts\/2021\/01\/21\/former-adt-technician-pleads-guilty-to-hacking-into-customers-home-security-video-feeds\/\">9,600 times<\/a> in a four and a half year period. Aviles\u2019s rampant misconduct was not discovered until April 23, 2020, when a customer contacted ADT to <a href=\"https:\/\/www.dallasnews.com\/news\/courts\/2021\/01\/21\/former-adt-technician-pleads-guilty-to-hacking-into-customers-home-security-video-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">report a suspicious email<\/a> on their account. Aviles pleaded guilty to computer fraud and now faces up to five years in prison for his conduct; however, concerns about the integrity of home security systems remain.<\/p>\n\n\n\n<p>Aviles was able to compromise the very products that are supposed to ensure the safety of the home. ADT <a href=\"https:\/\/www.adt.com\/adt-privacy-notice\">self reported<\/a> the incident on its website, referring to Aviles\u2019s conduct as \u201c<a rel=\"noreferrer noopener\" href=\"https:\/\/www.adt.com\/adt-privacy-notice\" target=\"_blank\">unauthorized access<\/a>\u201d and \u201cimproper behavior.\u201d But, announcing vague descriptions of serious misconduct is not enough; home security providers need to accept responsibility for the vulnerabilities in their services and products. In a United States Attorney\u2019s Office <a href=\"https:\/\/www.justice.gov\/usao-ndtx\/pr\/adt-technician-pleads-guilty-hacking-home-security-footage\">press release<\/a> on the Aviles case, FBI Dallas Special Agent DeSarno \u201cencourage[d] everyone to <a href=\"https:\/\/www.justice.gov\/usao-ndtx\/pr\/adt-technician-pleads-guilty-hacking-home-security-footage\" target=\"_blank\" rel=\"noreferrer noopener\">practice cyber hygiene<\/a> with all their connected devices by reviewing authorized users and routinely changing passwords.\u201d However, maintaining strong passwords would not have prevented Aviles\u2019s misconduct. Here, Aviles easily abused his position as a technician to gain access to customer accounts. Customers paid a security firm for protections from outside threats, but unwittingly opened their home to internal security breaches.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" src=\"https:\/\/journals.law.unc.edu\\\/ncjolt\/wp-content\/uploads\/sites\/4\/2021\/03\/Long.jpg\" alt=\"\" class=\"wp-image-8265\" width=\"600\" height=\"406\" srcset=\"https:\/\/journals.law.unc.edu\/ncjolt\/wp-content\/uploads\/sites\/4\/2021\/03\/Long.jpg 800w, https:\/\/journals.law.unc.edu\/ncjolt\/wp-content\/uploads\/sites\/4\/2021\/03\/Long-300x203.jpg 300w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/figure><\/div>\n\n\n\n<p>Moreover, the system that Aviles continuously breached, \u201cADT Pulse,\u201d is one of the company\u2019s most advanced products. The ADT Pulse system allows customers to remotely monitor their video feed, control alarms systems, or even turn off their lights directly from their smartphone or other connected device. The <a href=\"https:\/\/www.adt.com\/pulse\">ADT website<\/a> touts that the system provides \u201ca smarter, safer home,\u201d as it uses WPA2, an advanced encrypted wireless protocol which ensures that wireless communications remain private. While ADT\u2019s security system protected homes against outside hacking attacks, the company lacked internal mechanisms to monitor and prevent attacks from within. Several lawsuits have been filed against ADT for breach of privacy, including <a href=\"https:\/\/arstechnica.com\/information-technology\/2021\/01\/home-alarm-tech-backdoored-security-cameras-to-spy-on-customers-having-sex\/\">class action suits<\/a> on behalf of affected ADT customers as well as their <a href=\"https:\/\/arstechnica.com\/information-technology\/2021\/01\/home-alarm-tech-backdoored-security-cameras-to-spy-on-customers-having-sex\/\" target=\"_blank\" rel=\"noreferrer noopener\">minor children<\/a>. Some of the lawsuits allege that ADT strategically marketed its ADT Pulse system as a means for families to monitor young children and pets from their smartphone. While parents purchased the systems, expecting it to enhance the safety of their home, ADT failed to implement basic security measures that could have prevented such an attack, including two-factor authentication and text alert protocols.<\/p>\n\n\n\n<p>Promoting individual password security practices and encrypting network connection is not enough. Home security companies need to be held accountable for failing to implement basic cyber security measures and not having the internal checks necessary to prevent malicious employee conduct. The <a href=\"https:\/\/www.mordorintelligence.com\/industry-reports\/home-security-system-market\">home security systems market<\/a> is projected to continue its consistent pattern of growth. Thus, it is increasingly essential to protect homes from security threats, whether external or internal.<\/p>\n\n\n\n<p><strong>Stephanie Long<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The longstanding slogan of ADT security company, \u201cAlways There\u201d takes on new meaning, as former ADT employee, Telesforo Aviles, has pleaded guilty to accessing the home security feeds of over 200 customers for sexual gratification. Aviles, who was a technician for ADT, took advantage of a company policy that allowed employees to add their emails <a href=\"https:\/\/journals.law.unc.edu\/ncjolt\/blogs\/adt-security-company-fails-to-secure-homes-from-its-own-employees\/\" class=\"more-link\">&#8230;<\/a><\/p>\n","protected":false},"author":4,"featured_media":8265,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[51],"tags":[],"_links":{"self":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/8264"}],"collection":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/comments?post=8264"}],"version-history":[{"count":1,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/8264\/revisions"}],"predecessor-version":[{"id":8266,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/8264\/revisions\/8266"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media\/8265"}],"wp:attachment":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media?parent=8264"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/categories?post=8264"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/tags?post=8264"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}