Researchers at Rapid7 have disclosed vulnerabilities in Comcast's Xfinity Home Security offerings. The flaws cause the system to falsely report that a home's windows and doors are closed and secured, even if they've been opened.
Comcast's Xfinity Home Security system is one of the many next-generation alarm systems that are app controlled and promise to deliver real-time alerts and notifications to homeowners.
However, researchers at Rapid7 have discovered flaws that would cause Comcast's system to falsely report that a home's doors and windows are closed and properly secured, even if they've been opened. In addition, the flaws also mean that Comcast's system would fail to sense an intruder's motion in the home.
Rapid7's Phil Bosco discovered the flaws last September.
The root cause of the problem can be found in the ZigBee-based protocol used by Comcast's system to operate over the 2.4 GHz frequency band.
Bosco discovered that the Xfinity Home Security system does not fail closed with an assumption of an attack if radio communications are disrupted. Instead, the system fails open, reporting that all sensors are intact, doors are closed, and no motion is detected.
During a demonstration, Bosco placed a paired window/door sensor in tin foil shielding while the system was in an armed state. Bosco then removed the magnet from the sensor and opened the monitored entrance.
Once the magnet was removed, the sensor was unwrapped and placed within a few inches of the base station hub that controls the alarm system. The system continued to report that it was in armed state.
"Rapid7 has determined that there are any number of techniques that could be used to cause interference or de-authentication of the underlying ZigBee-based communications protocol, such as commodity radio jamming equipment and software-based de-authentication attacks on the ZigBee protocol itself," a security brief from Rapid7 explains.
"There does not appear to be a limit to the duration of the failure in order to trigger a warning or other alert. In addition, when Rapid7 demonstrated the issue, they determined that the amount of time it takes for the sensor to re-establish communications with the base station and correctly report is in an open state can range from several minutes to up to three hours."
There are no practical mitigations to the issue, Rapid7 says. A fix would require a software or firmware update to the base station to determine tolerance levels for radio failure conditions.
Comcast was notified about the vulnerability, but the company didn't respond to Rapid7 according to disclosure notes. CERT was made aware of the issue in November; they're expected to publish a technical note about the issue later today.
"I hope that during the CES hoopla this week, vendors take notice of these kinds of failure conditions and apply some basic security design to address them. IoT devices tend to be designed with the happy path in mind, and often don’t consider an active adversary," Rapid7's Tod Beardsley said in a statement to CSO.
"In any home automation solution, including security products like the Xfinity line, I would expect at least some kind of logging to be happening in the event of a failure. You don’t want these radio devices alerting every time they get a hiccup on transmission, but if there’s a prolonged outage, I would expect this condition to be anticipated and handled by the vendors of these devices."
Comcast emailed the following statement to CSO after this story was published. In addition, in a statement to Wired, the company said that the email addresses used by Rapid7 to report the vulnerabilities were invalid.
"Our home security system uses the same advanced, industry-standard technology as the nation’s top home security providers. The issue being raised is technology used by all home security systems that use wireless connectivity for door, window and other sensors to communicate. We are reviewing this research and will proactively work with other industry partners and major providers to identify possible solutions that could benefit our customers and the industry."
Rapid7 reached out today (Jan 8, 2015) with an additional comment:
As of January 6, Comcast is working with Rapid7 to investigate the technical details of the disclosure and potential mitigations. They also flagged that Rapid7 attempted to disclose through invalid email addresses through the xfinity.net domain, and should instead have used "firstname.lastname@example.org." We acknowledge this and would like to apologize for the miscommunication