New class action against ADT could have industry-wide ramifications

Nov. 24, 2014
Wireless vulnerabilities in security systems are an unfair and deceptive trade practice, lawsuit says

If you sell, install or monitor wireless security systems, you should be watching the progress of a recent class action lawsuit filed against ADT in federal court in Illinois, Baker vs. ADT.

In Baker, the plaintiff alleges that ADT’s wireless home security equipment transmits unencrypted signals that can be hacked by third parties. As a result, the complaint claims, signals from ADT’s systems can be intercepted and interfered with by those who want to gain access where such systems are installed.

According to the complaint, third parties can disable or suppress ADT’s security systems or cause the system to activate when there actually is no security breach to determine if police are dispatched in response to an alarm; thus allowing them to determine the best time to strike. The plaintiff also alleges that hackers can use a subscriber’s security cameras to spy on subscribers while in the premises.

The crux of plaintiff’s legal claim appears to be that ADT tells its customers the systems are secure when they are not and ADT knows that. The plaintiff alleges this violates Florida’s Unfair and Deceptive Trade Practices Act — although the case is filed in Illinois, where the plaintiff lives, ADT’s principal place of business is in Florida, which is why plaintiff relies on Florida law. Most states have similar statutes, which can be the staple of class actions, consumer claims or even commercial disputes.

Wireless Vulnerabilities

Before you gloat over ADT’s misfortune, understand that this is not the first time someone questioned the security of wireless security systems. For example, at least one presenter at Black Hat, an information security conference held in August, claimed that hacking into wireless home security systems could be accomplished with equipment costing less than $100. ADT’s wireless security equipment is not the only equipment hackers claim to be able to access —I have found articles, blogs or papers indicating that Vivint and 2Gig devices can be hacked as easily.

A recent Forbes magazine article claims certain wireless security systems can be hacked because of “legacy wireless communications from the 90s that failed to encrypt or authenticate signals.” The article said a hacker used a $10 simple device — a software-defined radio or “SDR” — to hack into systems installed by ADT and Vivint and could “see” transmissions from the system, even when the system was not armed. Using a slightly more sophisticated SDR, the hacker was able to access the wireless security system from between 65 and 250 feet away from the system to not only “see” activity in the premises, but also to suppress the system so it did not communicate with central station.

I strongly suspect the potential problem runs deeper than just a few select brands. The bottom line is: how do you know if the wireless equipment your company installs can be hacked; and do you really think the agreements you have with equipment manufacturers provide any protection?

The Next Move

Time will tell what ADT’s next move is; however, for your part, you may want to make sure your equipment is not susceptible to the same sort of issues. Another way to deal with this may be through your subscriber contract. After all, a good contract alerts subscribers to the fact that no system is foolproof; in fact, my form of contract addresses the wireless security issue directly. Another way to protect your company may be to deal with the possibility of a class action in your subscriber agreement — you can limit a subscriber’s right to bring a class action, but it is not as simple as some would have you think.

It is one thing to face an insured liability claims. It is very much something else to be a defendant in a class action. This is something you will want to deal with sooner rather than later.

Eric Pritchard is a Philadelphia Lawyer who spends his workday making the world safe for electronic security providers. He can be reached [email protected]. This column does not constitute legal advice; contact an attorney with questions.