The longstanding slogan of ADT security company, “Always There” takes on new meaning, as former ADT employee, Telesforo Aviles, has pleaded guilty to accessing the home security feeds of over 200 customers for sexual gratification. Aviles, who was a technician for ADT, took advantage of a company policy that allowed employees to add their emails to “ADT Pulse” customer accounts for installation purposes. However, Aviles would not remove his email address from the accounts, giving him unchecked access to customers’ video feeds without their knowledge. Aviles admitted that he “took note of which homes had attractive women” and later accessed over 200 accounts for the purpose of sexual gratification. Recurrently, Aviles viewed the real-time video feeds “of naked women and coupled engaging in sexual activity inside their homes.”
“Customers paid a security firm for protections from outside threats, but unwittingly opened their home to internal security breaches.”
Even more disturbing, Aviles continued his voyeurism undetected more than 9,600 times in a four and a half year period. Aviles’s rampant misconduct was not discovered until April 23, 2020, when a customer contacted ADT to report a suspicious email on their account. Aviles pleaded guilty to computer fraud and now faces up to five years in prison for his conduct; however, concerns about the integrity of home security systems remain.
Aviles was able to compromise the very products that are supposed to ensure the safety of the home. ADT self reported the incident on its website, referring to Aviles’s conduct as “unauthorized access” and “improper behavior.” But, announcing vague descriptions of serious misconduct is not enough; home security providers need to accept responsibility for the vulnerabilities in their services and products. In a United States Attorney’s Office press release on the Aviles case, FBI Dallas Special Agent DeSarno “encourage[d] everyone to practice cyber hygiene with all their connected devices by reviewing authorized users and routinely changing passwords.” However, maintaining strong passwords would not have prevented Aviles’s misconduct. Here, Aviles easily abused his position as a technician to gain access to customer accounts. Customers paid a security firm for protections from outside threats, but unwittingly opened their home to internal security breaches.
Moreover, the system that Aviles continuously breached, “ADT Pulse,” is one of the company’s most advanced products. The ADT Pulse system allows customers to remotely monitor their video feed, control alarms systems, or even turn off their lights directly from their smartphone or other connected device. The ADT website touts that the system provides “a smarter, safer home,” as it uses WPA2, an advanced encrypted wireless protocol which ensures that wireless communications remain private. While ADT’s security system protected homes against outside hacking attacks, the company lacked internal mechanisms to monitor and prevent attacks from within. Several lawsuits have been filed against ADT for breach of privacy, including class action suits on behalf of affected ADT customers as well as their minor children. Some of the lawsuits allege that ADT strategically marketed its ADT Pulse system as a means for families to monitor young children and pets from their smartphone. While parents purchased the systems, expecting it to enhance the safety of their home, ADT failed to implement basic security measures that could have prevented such an attack, including two-factor authentication and text alert protocols.
Promoting individual password security practices and encrypting network connection is not enough. Home security companies need to be held accountable for failing to implement basic cyber security measures and not having the internal checks necessary to prevent malicious employee conduct. The home security systems market is projected to continue its consistent pattern of growth. Thus, it is increasingly essential to protect homes from security threats, whether external or internal.