If you saw my recent post on the best home security systems CNET has tested, then you know that you’ve got more options than ever these days. Upstart DIY systems like SimpliSafe, Abode, Ring Alarm and Nest Secure have given established powerhouses like ADT some dynamic new competition. Meanwhile, more and more homeowners are choosing to monitor their homes on their own via video doorbell.
All of these systems rely on wireless transmissions within your home and to the cloud, too — so what steps are these companies taking to keep those signals secure? And what about all of those video clips ($189 at Walmart) — how do these companies handle the footage, and what steps do they take to protect user privacy?
Now playing:Watch this: How to buy the right security camera for you
Those were the questions I asked six of the top systems we’ve written about. Specifically, I was interested in knowing what sort of encryption practices each system uses, as well as any measures each company takes to keep user data — mainly the saved video clips from their cameras — private.
I also asked each company about their apps — can you enable two-factor authentication to help keep someone from brute-forcing their way into your account? What about Face ID and Touch ID for iOS users?
Security providers can be understandably reluctant to detail their internal practices and the ways in which they keep their systems secure. The last thing they want is to provide bad guys with a precise view of what they’d be going up against were they ever to try and hack into the system. Still, some were willing to share their specific encryption standards (most employ Transport Layer Security, or TLS, which is the same standard used to encrypt much of the web). Others preferred to talk about their methodology in more general terms, such as SimpliSafe describing its encryption as “industry standard.”
More interesting might be each company’s policies for handling user video clips, which is less a question of security than one of privacy. Some companies simply store the clips for the user and delete them after a set period of time. Others follow procedures that allow them to view and analyze user clips in order to improve features like motion detection and facial recognition. That includes Ring, which didn’t specify how long it hangs on to those clips.
I’ve done my best to parse through all of it and summarize the responses in the table above. Below, you’ll find the exact, word-for-word responses that I received from spokespersons for each company:
1. How does Abode handle user camera footage? What practices are in place to help ensure privacy?
Video data is only kept within the Abode system for as long as the customer’s plan dictates. Free customers have access to three days of timeline, Connect customers have access to 14-days of timeline and Secure customers have access to 90-days of timeline. Video footage that is stored by the customer on Abode servers is kept secure and encrypted and not accessible to support staff or management. Abode does not share video data or any personal data with any third-party companies.
In the event of an alarm, if a customer has a camera enrolled within their Abode system and professional monitoring, video is sent to the central monitoring center to verify the alarm and if needed, dispatch the appropriate authorities. The moment that alarm is analyzed (dispatch vs. no dispatch) connection to video is severed and the CMC no longer has access to video or a customer’s live video feeds.
2. What steps does Abode take to prevent someone from hacking into the system, or from jamming it? What sort of encryption does Abode use?
The Abode gateway is constantly checking communications to the deployed wireless devices for gradual interference and if that is purposely being interfered with. Whenever a signal jamming period lasts longer than 30 seconds, a “Jamming” notification will be sent to the users and reported to the Central Monitoring Center where jamming operating procedures take place.
For data at rest, like video storage, Abode uses AES 256 encryption.
3. How does Abode keep the app controls secure? If someone wants to reinforce their login with two-factor authentication or another added security measure, is that an option?
Abode offers users the option to secure their account through two-factor authentication. Two-factor authentication adds additional security to your Abode home by requiring a code generated by the Google Authenticator App on your phone when logging in from a new device. For complete security, enable two-factor authentication for each user account that has access to your Abode system in your home. Customers can find additional information on two-factor authentication for their Abode home here. Additionally, Abode supports Touch ID and Face ID from Apple on the iOS app which adds extra security with additional convenience.
1. How does ADT handle each user’s camera footage? What practices are in place to help ensure privacy?
ADT is a proponent of Security and Privacy by Design principles, and our systems limit ADT’s ability to access our residential customer’s video footage, such as when needed to service a system for a customer. By policy, and through technical restrictions, this footage can only be accessed once specific protocols are followed, and use of those protocols is logged. Customers are also notified whenever designated ADT personnel have been authorized to access their system.
2. What steps does ADT take to prevent someone from hacking into the system, or from jamming it? What sort of encryption does ADT use?
ADT works closely with our product and technology partners to employ industry best practices to help minimize the risk of hacking for the intrusion prevention devices that we use, and we regularly conduct penetration testing of these products, as well as our own internal systems, to help minimize the risk of vulnerability exposure. While jamming is a potential issue for radio devices generally, ADT systems monitor for loss of connectivity with wireless devices and can report that to the customer.
ADT has also implemented two-way encrypted communications for sensors in the new ADT Command panel that allows for both secure communications, and awareness when a sensor has lost contact with the panel.
3. How does ADT keep the app controls secure? If someone wants to reinforce their login with two-factor authentication or another added security measure, is that an option?
ADT’s customer apps for their interactive security systems are secured using username and password, with Touch ID and Face ID options, if they are supported on the customer’s mobile device. Two-factor authentication is also supported on the new ADT Control application — now generally available across the United States. The Control application also allows access to be disabled remotely, if a customer loses their phone. All application access is logged, and available for the customer to review.
Comcast Xfinity Home
1. How does Comcast handle user camera footage? What practices are in place to help ensure privacy?
We have a team at Comcast dedicated specifically to camera security. We only activate video recording when customers opt-in and choose the service. We retain video files for customers with 24/7 Video Recording for 10 days on an encrypted server and then delete them. We retain video clips from Xfinity Home customers with rules-based video files for 30 days and then delete them. Customers can also choose to save their security camera files locally on their own devices. We do not use the recordings for marketing purposes or analyze them in any way.
2. What steps does Comcast take to prevent someone from hacking into Xfinity Home setups, or from jamming their signals? What sort of encryption does Comcast use?
We build security into our products from the design phase to the end of their life cycle. Our product security practices include routine security audits, 24/7 monitoring and penetration testing. We also work with the security research community to identify and resolve issues that may impact customers. RF signal jamming detection is built into our hardware and paired with algorithms running at all times to detect jamming attempts and report it to our backend systems. We meet or exceed industry standards for jamming detection in residential home security systems.
While the encryption we use varies by product and service, our security approach centers on widely adopted, standards-based encryption technologies. These include Transport Layer Security (TLS), certificate validation, field-level encryption for information stored in databases, on-disk encryption for any stored information and multi-factor authentication.
3. How does Comcast keep its app controls secure? If someone wants to reinforce their login with two-factor authentication or another added security measure, is that an option?
No user credentials are ever stored on the Xfinity Home mobile app. We also offer multifactor authentication for Xfinity Home and a number of other Xfinity products and services. Customers can find information about how to sign up for multifactor authentication here.
1. How does Nest handle user camera footage? What practices are in place to help ensure privacy?
Nest uses TLS to protect the transport of data from the camera to the Cloud. The video is encrypted at rest when stored in the Cloud. AES 256-bit encryption is used to encrypt the data.
Privacy or security sensitive actions, such as viewing video and audio content generated by customer usage of Nest products, always require permission/authenticated access authorized by the device owners.
2. What steps does Nest take to prevent someone from hacking into Nest Secure security systems and Nest Hello ($229 at Crate and Barrel) video doorbells, or from jamming their signals? What sort of encryption does Nest use?
At Nest, we design our products with security in mind — from the hardware components we use, to software and account level controls we provide to our users. Prior to release, Nest products undergo a rigorous security testing process where we identify and remediate security vulnerabilities that would impact the reliability of the Nest platform and the security of customer data.
Nest products require authenticated access to perform functions that change the configuration of the device after initial setup. No default credentials exist for configuration or setup functionality that could be reused from device to device.Nest products leverage industry-standard encryption technology to protect data in transit over the internet. Data from your devices, such as video and audio content, that is stored in Google’s infrastructure is encrypted at rest.
The information that passes between Nest Detect sensors and Nest Guard is encrypted at multiple levels, including encryption during transmission, additional encryption that’s specific to the home the products are in, and encryption between our products and the cloud.
When security vulnerabilities are identified in a Nest product that has been released, we will remotely update the product to fix the issue as soon as possible. Nest uses embedded security measures such as code signing to validate software updates running on our devices to mitigate against device compromise.
Nest, in coordination with the Google bug bounty program, offers a bug bounty program to search for and address vulnerabilities. We also work with well-known and reputable security companies to conduct independent third party security audits of our products and services.
Nest Secure can detect jamming attacks and will alert customers if it senses an attack. Also, because Nest Detects don’t use Wi-Fi to communicate with the Nest Guard, even if your home Wi-Fi goes down, the Detects can still tell Guard to sound the alarm in the event of a break-in.
3. How does Nest keep its app controls secure? If someone wants to reinforce their login with two-factor authentication or another added security measure, is that an option?
Nest offers two-step verification, which helps prevent someone from signing into your account in the Nest app without your permission. With two-step verification your phone helps prove your identity any time you sign into your account or make other changes to security settings.
1. How does Ring handle user camera footage? What practices are in place to help ensure privacy?
We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring video recordings. These recordings are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes. Ring employees do not have access to livestreams from Ring products.
We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them.
2. What steps does Ring take to prevent someone from hacking into Ring Alarm and Ring Video Doorbell setups, or from jamming their signals? What sort of encryption does Ring use?
We have taken measures to make Ring devices secure. These include disallowing third party application installation on the device, rigorous security reviews, secure software development requirements and encryption of communication between Ring devices with other Amazon services such as AWS servers.
We understand the importance of keeping data secure and follow industry standards when it comes to encryption protection. We use a combination of AES encryption (Advanced Encryption Standard) and TLS (Transport Layer Security). We also encrypt the data between Ring Doorbells and Cams using AES encryption, TLS, and SRTP (Secure Real Time Protocol).
As a security company, security is at the core of Ring’s mission and drives everything we do. Ring dedicates significant time and money to product and network security. We have an in-house team that is constantly working to ensure Ring products are secure; we also work with several outside firms to perform security testing on all devices. In order to maintain your device’s security, we recommend keeping your firmware up-to-date and using strong, unique passwords for both your Wi-Fi network and device account.
3. How does Ring keep its app controls secure? If someone wants to reinforce their login with two-factor authentication or another added security measure, is that an option?
Two-factor authentication is currently rolling out to customers and will be available to all users soon. Ring values the trust our neighbors place in us and we are committed to the highest level of customer information and data security. As we continually work to make our devices and services more useful and secure for our users, we are actively developing new security features and capabilities, including the ability to reject comprised passwords.
1. How does SimpliSafe handle user camera footage? What practices are in place to help ensure privacy?
Our cameras are designed with privacy in mind at all steps:
All of our indoor cameras have a built-in privacy shutter. Customers can open or close it whenever they want, from the app. We are actually the only security company that does this.All communication between the base station, the app and our indoor and outdoor cameras—whether it happens via Wi-Fi or via cellular signal—is encrypted.All video storage is totally opt-in. Customers who want their cameras to record video (rather than just live-streaming to the SimpliSafe app) choose to do that, and subscribe to recording services that enable this feature.Even then, recordings only happen when the camera is triggered (by movement, or by the system being otherwise triggered, armed or disarmed). Those videos are stored on a secure server for 30 days. Only ~10 of our engineers have access to the server. Even those employees are not able to view videos as stored, due to a proprietary storage method we developed. All of these recordings are deleted after 30 days.
2. What steps does SimpliSafe take to prevent someone from hacking into the system, or from jamming it? What sort of encryption does SimpliSafe use?
We adhere to industry standard encryption methods. Sensor communication with the Base Station is encrypted, as is communication from the Base Station to back-end servers. We have jam detection in place to prevent jamming.
3. How does SimpliSafe keep the app controls secure? If someone wants to reinforce their login with two-factor authentication or another added security measure, is that an option?
Two-factor authentication is currently in the works, and will be offered to customers on an opt-in basis. Same with notification systems around new IP addresses and devices, so that if you log in from an unrecognized device and/or location you will be notified.
Users can already see any mobile devices that are logged in on the web platform, and force log-out any of them.
CNET may get a commission from retail offers.
Turn your old phone into a home security camera: Give your outdated phone a new life.
Five things to consider before buying LED bulbs: Before you head to the store, learn about the specs to look out for when buying LED bulbs.
CNET Smart Home
•How do home security systems handle your privacy?
•You can now play YouTube Music on your Google Home for free
•Facebook’s privacy crisis makes its Portal video device a tougher sell than ever
•Master home workouts with the Mirror
• See All
Share your voice