Former Alarm Company Employee Spied On Over 200 Customers While Having Sex

A former employee of the ADT alarm company located in Dallas, USA, successfully exploited a “backdoor” – a vulnerability in the system – and used security cameras to spy on couples in intimate situations.

Telesforo Avilés, 35, admitted that over a five-year period, she accessed the cameras of around 220 client accounts over 9,600 times, of course without the permission or knowledge of the clients.

He even took note of houses with women he found attractive and then looked at the cameras. He admitted to observing naked women and couples while having sex.

Avilés went further and explained to the courts how he got into a supposedly ex-non-extensible system, even more for a former employee: he added his e-mail address to the list of users authorized to access the ADT accounts of customers.

This allows the user to remotely log into the ADT home security system to be able to turn lights on or off, activate or deactivate alarms. And also access the registry of security cameras.

Avilés has sometimes told users that he should be added to this list to “test the system”. On other occasions, it has been added without the knowledge of the victims.

Aviles admitted his actions last Thursday in U.S. District Court for the Northern District of Texas, where he pleaded guilty to one count of computer fraud and one count of invasive registration.

The maximum penalty that could correspond to him is 5 years in prison.

In the meantime, what has the company said about this disturbing vulnerability?

According to ArsTechnica, a spokesperson for ADT said the company alerted prosecutors to the situation in April last year after learning that Aviles had obtained unauthorized access to the accounts of 220 clients in the region of Dallas.

The security company then contacted every customer “to help fix this” and released the following statement last month.

The problem that allowed this to happen is what is known in computer security as a “backdoor”: a (metaphorical) backdoor through which someone who is not the “official” user can enter. the system.

The question is how to prevent such a thing from happening, and the first answer is very basic: check who has access to the security system. It sounds harmless, but in the reconstructed case, the old employee was simply added as a user and only a few were hit. To them he lied.

Never give a third party access to a personal system.