Installing an internet-connected security camera in your house won’t necessarily bring a wave of hackers to your Wi-Fi network — but losing privacy resulting from a device’s security shortcomings is surprisingly common. Last year, an ADT home security customer noticed an unfamiliar email address connected to her home security account, a professionally monitored system that included cameras and other devices inside her home.
That simple discovery, and her report of it to the company, began to topple a long line of dominoes leading back to a technician who had spied, over the course of four and a half years, on hundreds of customers — watching them live their private lives, undress and even have sex.
ADT says it has closed the loopholes that the technician exploited, implementing “new safeguards, training and policies to strengthen … account security and customer privacy.” But invasions of privacy are not unique to ADT and some vulnerabilities are harder to safeguard than others.
Whether you’re using professionally monitored security systems such as ADT, Comcast Xfinity or Vivint, or you just have a few standalone cameras from off-the-shelf companies like Ring, Nest or Arlo, here are a few practices that can help protect your device security and data privacy.
Is my security system vulnerable?
Before jumping into solving the problems of device insecurity, it’s helpful to understand how vulnerable your devices really are. Major professionally monitored security systems — and even individually sold cameras from reputable developers like Google Nest and Wyze — include high-end encryption (which scrambles messages within a system and grants access through keys) almost across the board. That means as long as you stay current with app and device updates, you should have little to fear of being hacked via software or firmware vulnerabilities.
Likewise, many security companies that use professional installers and technicians have strict procedures in place to avoid precisely what happened at ADT. The Security Industry Association — a third-party group of security experts — advises manufacturers such as ADT on matters relating to privacy and security.
“The security industry has been paying attention to [the issue of privacy in the home] since 2010,” said Kathleen Carroll, chair of the SIA’s Data Privacy Advisory Board, “and we continue to work to help our member companies protect their customers.”
Some professionally monitored systems, such as Comcast and now ADT, address the problem by simply strictly limiting the actions technicians can take while assisting customers with their accounts — for instance disallowing them from adding email addresses to accounts or accessing any recorded clips.
“We have a team at Comcast dedicated specifically to camera security,” a Comcast spokesperson said. “Our technicians and installers have no access to our customers’ video feeds or recorded video, which can only be accessed by a small group of engineers, under monitored conditions, for issues like technical troubleshooting.”
“Only customers can decide who is allowed to access their Vivint system, including their video feeds,” a spokesperson for home security company Vivint said. “As admin users, they can add, remove or edit user settings. And … we regularly conduct a variety of automated and manual audits of our systems.”
With DIY systems, customers set up their own devices, making technician access a moot point. But if customers opt into additional monitoring, which is often offered alongside individual products, that may complicate the issue.
In short, security companies appear to be consciously using multiple levels of security to protect customers from potential abuse by installers and technicians — even if the processes by which they do this aren’t entirely transparent. But even if they’re effective, that doesn’t mean your smart cameras are totally secure
