ADT's LifeSheild/Blue Security Cameras Have Prying Eyes
By: Jim Stickley and Tina Davis
April 14, 2021
Smile and say, “don’t hack me!” Owners of home security cameras are finding out the vulnerabilities of their systems the hard way. Most recently, homeowners using a security system by ADT called Blue (formerly LifeShield) found hackers accessed their security cameras. It led to their audio and video streaming services being exploited. And it’s not just ADT systems – a similar problem with Ring security happened just one year earlier. Research by Bitdefender discovered the video doorbell portion of Blue was the problem but waited months to make it known. According to Brinks Home Security, wireless security cameras in 256 countries have been hacked.
DIY and the IoT
With almost 40% of the do-it-yourself home security market, ADT has 6.2 million security-minded customers, including those using Blue. The Blue system has compatibility options with Amazon Alexa, Google Assistant, Z-Wave Plus, and others, and the system can be controlled remotely. ADT released a firmware security patch for the servers and the 1,500 affected devices, but there’s no easy way to confirm if users installed the update.
Since these systems are all part of the IoT (internet of things), or all things connected, the potential for abuse is inherent. Assuming the system owner takes no preventive security steps, a cybercriminal can hack a camera that’s one part of a security system. If it’s a smart home with other connected devices, hackers can access the entire IoT system. Creepy as it is, some cases of hacked security cameras led to users being spied upon at home. Even more disturbing, some two-way systems allow hackers to see and speak to those inside.
Stuffing Credentials
There are two forces that when paired together allow for these intrusions. The first is the security system owner not changing the default password or reusing a password from other accounts. From there, hackers often use credential stuffing to crack the password. With the help of bots, hijacked account credentials are “stuffed” into other accounts a user has until a match is found. Once done, a hacker can virtually enter a home. Like most online accounts, cybersecurity experts remind us that all it takes for a home security system to be hacked is a username and password. Below are tips to help users keep their home and security system safe from prying eyes – and ears.
Stop the Snoop
- Change the default password immediately. Always use a password that is strong and unique.
- Update systems with the latest firmware and software as soon as any hardware device is installed. Apply security patches as soon as they are available.
- Research IoT vendors before committing to a security system. Check their security update policies for their products, as well as customer reviews.
- Use 2FA (two-factor authentication) or MFA (multi-factor authentication) to add a layer of security to devices.
- Actively check for software and firmware updates, including those for cameras. Most manufacturers alert customers to an update, but knowing one is available earlier rather than later is always a smart move.