Exploitable vulnerabilities are attention-grabbing, but need to be considered in proper context. Just because a design decision can be abused for ill gain doesn't always mean it was the wrong design decision. Credit: Thinkstock Steve Ragan reported this week that researchers at Rapid7 disclosed some vulnerabilities in Comcast’s Xfinity home security system. The systems use wireless sensors to detect opened doors and windows, and to detect motion when a home is expected to be vacant. Wireless sensors make installing a security system very easy. At the same time, wireless sensors are vulnerable to radio frequency interference – whether incidental or intentional. Security products by necessity walk an often-grey line between function and usability. On the one hand, elaborate, multi-layer controls can provide a high degree of security, but at a high financial as well as usability cost. As an extreme example, Jake Williams writes of the Australian government resorting to hand-delivering submarine plans and communications, to eliminate entirely the chances of communication being intercepted electronically. On the other hand, simple and user-friendly controls are far less cumbersome, but far easier for a determined adversary to overcome. Consumer-grade systems tend to err more on the side of usability – frustrated customers cost companies in the form of technical support, and tend not to be repeat customers. The Xfinity system fails open, meaning a disabled sensor does not trigger an alarm. A simple radio frequency jammer can interfere with the sensors, preventing any alarm when someone opens a door or window or passes a motion sensor. A burglar with the right equipment can easily disable the system and break in without triggering an alarm. Think about it though: do you want your home alarm to alert you every time a sensor briefly loses connectivity with the base station? Or worse, alert local authorities? Many cities have local laws that assess citations and fines for false alarms. That Xfinity security systems are vulnerable to abuse in this manner is noteworthy, but there is a more important point to consider. Vulnerabilities need to be understood in the context of what is being protected, and in the context of who is the intended user. As a consumer, or as an enterprise product specialist, include failure mode in your evaluation of a product. How does the product behave when things don’t go as expected – and how do you want it to behave? Do you have thoughts to add? Disagree? Comment below or hit me up on Twitter at @dnlongen. Related content opinion Does a smartphone make two-factor authentication? Is a cell phone a suitable second factor for two-factor authentication? Several infosec pros had a lively debate about this topic on Twitter recently. By David Longenecker Mar 17, 2016 5 mins Mobile Security Application Security Security opinion A positive step for insecure home routers It is gratifying to see one's passion result in a positive change that could benefit many people. By David Longenecker Feb 23, 2016 4 mins Smart Home Internet of Things Consumer Electronics opinion Your child's privacy is eroding Social media, cloud-based educational tools, and Internet-connected toys are eating away at your child's privacy. By David Longenecker Dec 02, 2015 6 mins Facebook Internet of Things Data and Information Security opinion Back to school cyber tips Start the new school year off with some healthy habits. By David Longenecker Sep 08, 2015 8 mins Back to School Phishing Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe