• United States



by David Longenecker

Putting the Comcast vulnerability in context

Jan 06, 20163 mins
Smart HomeVulnerabilities

Exploitable vulnerabilities are attention-grabbing, but need to be considered in proper context. Just because a design decision can be abused for ill gain doesn't always mean it was the wrong design decision.

Closeup of burglar criminal trying to break in chain locked door
Credit: Thinkstock

Steve Ragan reported this week that researchers at Rapid7 disclosed some vulnerabilities in Comcast’s Xfinity home security system. The systems use wireless sensors to detect opened doors and windows, and to detect motion when a home is expected to be vacant.

Wireless sensors make installing a security system very easy. At the same time, wireless sensors are vulnerable to radio frequency interference – whether incidental or intentional. 

Security products by necessity walk an often-grey line between function and usability. On the one hand, elaborate, multi-layer controls can provide a high degree of security, but at a high financial as well as usability cost. As an extreme example, Jake Williams writes of the Australian government resorting to hand-delivering submarine plans and communications, to eliminate entirely the chances of communication being intercepted electronically.

On the other hand, simple and user-friendly controls are far less cumbersome, but far easier for a determined adversary to overcome. Consumer-grade systems tend to err more on the side of usability – frustrated customers cost companies in the form of technical support, and tend not to be repeat customers.

The Xfinity system fails open, meaning a disabled sensor does not trigger an alarm. A simple radio frequency jammer can interfere with the sensors, preventing any alarm when someone opens a door or window or passes a motion sensor. A burglar with the right equipment can easily disable the system and break in without triggering an alarm.

Think about it though: do you want your home alarm to alert you every time a sensor briefly loses connectivity with the base station? Or worse, alert local authorities? Many cities have local laws that assess citations and fines for false alarms.

That Xfinity security systems are vulnerable to abuse in this manner is noteworthy, but there is a more important point to consider. Vulnerabilities need to be understood in the context of what is being protected, and in the context of who is the intended user.

As a consumer, or as an enterprise product specialist, include failure mode in your evaluation of a product. How does the product behave when things don’t go as expected – and how do you want it to behave?

Do you have thoughts to add? Disagree? Comment below or hit me up on Twitter at @dnlongen.

by David Longenecker

I am a Security Specialist with nearly two decades of experience in system administration and architecture, LAN installation and operations, hacking and defending, incident handling, intrusion detection and prevention, risk management, cyber intelligence and threat assessment, and technical team leadership.

Separate from my "day job," I regularly blog about security topics ranging from risk tolerance to authentication, home network security, geotagging, social engineering and identity theft. I take pride in presenting complicated concepts in a clear manner such that the lay person can understand but the advanced technologist can find value.

A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, so I would hope I have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost.

I created and write for, as in security knowledge without all the big words.

The opinions expressed in this blog are those of David Longenecker and do not necessarily represent those of Intel Corporation or IDG Communications, Inc., its parent, subsidiary or affiliated companies.