Putting the Comcast vulnerability in context

Exploitable vulnerabilities are attention-grabbing, but need to be considered in proper context. Just because a design decision can be abused for ill gain doesn't always mean it was the wrong design decision.

Comcast Vulnerabilities

Steve Ragan reported this week that researchers at Rapid7 disclosed some vulnerabilities in Comcast's Xfinity home security system. The systems use wireless sensors to detect opened doors and windows, and to detect motion when a home is expected to be vacant.

Wireless sensors make installing a security system very easy. At the same time, wireless sensors are vulnerable to radio frequency interference - whether incidental or intentional. 

Security products by necessity walk an often-grey line between function and usability. On the one hand, elaborate, multi-layer controls can provide a high degree of security, but at a high financial as well as usability cost. As an extreme example, Jake Williams writes of the Australian government resorting to hand-delivering submarine plans and communications, to eliminate entirely the chances of communication being intercepted electronically.

On the other hand, simple and user-friendly controls are far less cumbersome, but far easier for a determined adversary to overcome. Consumer-grade systems tend to err more on the side of usability - frustrated customers cost companies in the form of technical support, and tend not to be repeat customers.

The Xfinity system fails open, meaning a disabled sensor does not trigger an alarm. A simple radio frequency jammer can interfere with the sensors, preventing any alarm when someone opens a door or window or passes a motion sensor. A burglar with the right equipment can easily disable the system and break in without triggering an alarm.

Think about it though: do you want your home alarm to alert you every time a sensor briefly loses connectivity with the base station? Or worse, alert local authorities? Many cities have local laws that assess citations and fines for false alarms.

That Xfinity security systems are vulnerable to abuse in this manner is noteworthy, but there is a more important point to consider. Vulnerabilities need to be understood in the context of what is being protected, and in the context of who is the intended user.

As a consumer, or as an enterprise product specialist, include failure mode in your evaluation of a product. How does the product behave when things don't go as expected - and how do you want it to behave?

Do you have thoughts to add? Disagree? Comment below or hit me up on Twitter at @dnlongen.

Copyright © 2016 IDG Communications, Inc.

The 10 most powerful cybersecurity companies