• United States



Flaws in Comcast’s Xfinity Home Security: System fails to warn homeowners of intruders

Jan 05, 20164 mins
Data and Information SecuritySecurity

Thanks to flaws in Xfinity Home Security systems, intruders could break in and homeowners would not be alerted. Comcast's Xfinity failed to reply to security researchers or CERT as both tried to disclose the vulnerabilities to the vendor.

Rapid7 disclosed serious flaws in Comcast’s Xfinity Home Security system which thieves or thugs could exploit to break into homes while the homeowners continue to receive ‘it’s-all-good’ messages even as an intruder moves about the house. Even worse, there currently is no fix.

Comcast customers might be induced to sign up for one of the Xfinity Home Security packages as the company suggests options like being able to check in on your kids, your pets, and “the things you love most.” With Xfinity Home Security, Comcast said you can “Sit back. Relax. You’re in control.” But today Rapid7 publicly disclosed vulnerabilities in Xfinity Home Security, flaws that can cause the security system to fail to sense motion and instead continue to report “All sensors are intact and all doors are closed. No motion is detected.”

The first problem is that motion sensors could fail to report motion; a bad guy could be moving around in the house and the homeowner wouldn’t be alerted; Rapid7 explained why the Xfinity Home Security would report a window or door is closed even if it is open. The system uses a ZigBee-based protocol and communicates over the 2.4GHz radio frequency band; an attacker could jam the radio frequency or launch a software-based deauthentication attack on the ZigBee protocol. In both cases, the Xfinity Home Security base station fails to detect the communication breakdown in the component sensors and continues to give a thumb’s up message as opposed to alerting homeowners that there is a problem.

The system will continue to report it is armed even when the sensors are not communicating with the hub. Sure, homeowners do not want to be spammed with alerts for every little hiccup, but Rapid7 said, “There does not appear to be a limit to the duration of the failure in order to trigger a warning or other alert. In addition, the sensors take a significant amount of time to re-establish communication with the hub when the radio failure subsides.”

In fact, the researchers discovered that the “amount of time it takes for the sensor to re-establish communications with the base station and correctly report is in an open state can range from several minutes to up to three hours.”

While you might be thinking that the average crook couldn’t abuse the Xfinity home security system, jamming is really not rocket science. In fact, Rapid7 added, “There are any number of techniques that could be used to cause interference or deauthentication of the underlying ZigBee-based communications protocol, such as commodity radio jamming equipment and software-based deauthentication attacks on the ZigBee protocol itself.”

If you are looking for mitigation, you will be disappointed. Perhaps the best thing to do right now is take down or cover up the Xfinity home security sign in your yard. Until there is a fix, that security sign might as well be advertising, “Come rob me; I won’t tell the homeowner.” Even if you were monitoring the security system messages, you would be blissfully unaware of intruders until you physically walk into your house.

Not only is there no fix, there is no timeline by Comcast Xfinity for a firmware patch. Rapid7 said, “A software/firmware update appears to be required in order for the base station to determine how much and how long a radio failure condition should be tolerated and how quickly sensors can re-establish communications with the base station.”

Rapid7’s Phillip Bosco first discovered the flaws on Sept. 28; After reviewing the issues, Rapid7 attempted contact on Nov. 2 and emailed several Comcast Xfinity addresses to disclose the vulnerability. Comcast being Comcast, it didn’t bother to reply. So on Nov. 23, Rapid7 handed the details over to CERT which also attempted to contact the vendor; again there was no response.

Ah, Comcast…ignoring the problem even as you continue to charge customers for a faulty security system won’t help your image as one of the most despised companies in the USA.

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.