The case is curious, but it reveals, once again, an increasingly common problem: computer fraud. A former employee of the alarm company ADT managed to explode a “backdoor”-A vulnerability in the system- and used the security cameras to spy on couples in intimate situations.
The case occurred in Dallas, Texas, United States, and the way it operated was announced this Saturday by the site specialized in technology ArsTechnica.
Telesforo Avilés, 35, acknowledged that during a period of five years it accessed the cameras of approximately 220 customer accounts more than 9,600 times, of course without the permission or knowledge of clients.
Home security cameras: do not control access, dangerous. AP Photo
Even as the site reconstructs, took note of houses with women he found attractive And then I looked at the cameras. He acknowledged that he observed naked women and couples while they had sex.
The question that arises is how the ADT security system allows not only that someone from “inside” the company can enter, but especially someone who no longer works.
Avilés told prosecutors how he did: added his email address to the list of users authorized to access customers’ ADT accounts. This allows the user to remotely connect to the ADT home security system so they can turn lights on or off, activate or deactivate alarms.
And, of course, also access the registry of security cameras.
But as always, it is a problem of trust, personal: Avilés sometimes told users that he had to add himself to that list in order to “Test the system”. On other occasions, it was added without the knowledge of the victims.
Aviles acknowledged his actions last Thursday in the United States District Court for the Northern District of Texas, where he pleaded guilty to one count of computer fraud and one count of invasive recording.
Faces up to five years in prison.
The answer from ADT, the alarm company
ADT, alarm company. Photo ADT Site
According to ArsTechnica, an ADT spokesperson said the company warned prosecutors of this situation in April of last year after learning that Aviles gained unauthorized access to the accounts of 220 clients in the Dallas area.
The security company then contacted each customer “to help correct this” and released the following statement last month.
ADT discharge for spying on an employee
The alarm company echoed the situation and explained its actions [traducido con Google Translate]
But for the company the case could be quite expensive: since then it has faced two class action lawsuits (class action).
The system had a “backdoor”: what is it and what precautions to take
Security cameras can have vulnerabilities. Photo Bloomberg
The problem that allowed this to happen is what is known in computer security as a “backdoor”: a back door (metaphorical) whereby someone who is not the “official” user you can enter the system.
In general, they are mentioned as a result of massive cases, such as the well-known Back Orifice and NetBus, two of the best known that even today are still valid and have been responsible for multiple cases of data theft.
The question is how to prevent something like this from happening, and the first answer is very basic: check who has access to the security system. It seems trivial, but in the reconstructed case the former employee was simply added as a user and only a few were struck by it. To them, he lied.
Never give a third party access to a personal system.
On the other hand, the case also denotes the risks of having cameras in places where, in general, you want to maintain some privacy. That is a user decision that could ultimately be questioned in itself.