301.519.9237 exdirector@nesaus.org

1.22.21 – ARS Technica

Employee for ADT accessed ~200 customer cams on more than 9,600 occasions.

A home security technician has admitted he repeatedly broke into cameras he installed and viewed customers engaging in sex and other intimate acts.

Telesforo Aviles, a 35-year-old former employee of home and small office security company ADT, said that over a five-year period, he accessed the cameras of roughly 200 customer accounts on more than 9,600 occasions—all without the permission or knowledge of customers. He said he took note of homes with women he found attractive and then viewed their cameras for sexual gratification. He said he watched nude women and couples as they had sex.

Aviles made the admissions Thursday in US District Court for the District of Northern Texas, where he pleaded guilty to one count of computer fraud and one count of invasive visual recording. He faces a maximum of five years in prison.

Aviles told prosecutors that he routinely added his email address to the list of users authorized to access customers’ ADT Pulse accounts, which allow customers to remotely connect to the ADT home security system so they can turn on or off lights, arm or disarm alarms, and view feeds from security cameras. In some cases, he told customers that he had to add himself temporarily so he could test the system. Other times, he added himself without their knowledge.

More legal fallout

An ADT spokesman said the company brought the illegal conduct to the attention of prosecutors last April after learning Aviles gained unauthorized access to the accounts of 220 customers in the Dallas area. The security company then contacted each customer “to help make this right.” The company has already resolved disputes with some of the customers. ADT published this statement last April and has continued to update it.Advertisement

“We are grateful to the Dallas FBI and the US Attorney’s Office for holding Telesforo Aviles responsible for a federal crime,” the company wrote in an update posted on Friday.

In the aftermath of the breach discovery, ADT has been hit by at least two proposed class-action lawsuits, one on behalf of ADT customers and the other on behalf of minors and others living inside the homes. A plaintiff in one of the suits was allegedly a teenager at the time that the breach occurred. ADT informed her family that the technician spied on her home almost 100 times, according to the lawsuit.

The suits alleged that ADT marketed its camera systems as a way for parents to use smartphones to check in on kids and pets. ADT, the plaintiffs said, failed to implement safeguards—including as two-factor authentication or text alerts when new parties access the accounts—that could have alerted customers to the invasion. The breach was discovered when a customer noticed an unauthorized email among addresses that had permission to access the security system.

The revelation of an electronic Peeping Tom is a good reminder of the risks that come from installing network connected cameras inside the home or other locations where there’s a reasonable expectation of privacy. People who choose to accept these risks should take the time to educate themselves on how to use, configure, and maintain the devices. Among the first things to inspect are the list of users given access and who has actually logged into the system.