Comcast's Xfinity Home Security vulnerable, fail open flaw leaves homes exposed
Comcast's Xfinity Home Security system is one of the many next-generation alarm systems that are app controlled and promise to deliver real-time alerts and notifications to homeowners.
However, researchers at Rapid7 have discovered flaws that would cause Comcast's system to falsely report that a home's doors and windows are closed and properly secured, even if they've been opened. In addition, the flaws also mean that Comcast's system would fail to sense an intruder's motion in the home.
Rapid7's Phil Bosco discovered the flaws last September.
The root cause of the problem can be found in the ZigBee-based protocol used by Comcast's system to operate over the 2.4 GHz frequency band.
Bosco discovered that the Xfinity Home Security system does not fail closed with an assumption of an attack if radio communications are disrupted. Instead, the system fails open, reporting that all sensors are intact, doors are closed, and no motion is detected.
During a demonstration, Bosco placed a paired window/door sensor in tin foil shielding while the system was in an armed state. Bosco then removed the magnet from the sensor and opened the monitored entrance.
Once the magnet was removed, the sensor was unwrapped and placed within a few inches of the base station hub that controls the alarm system. The system continued to report that it was in armed state.
"Rapid7 has determined that there are any number of techniques that could be used to cause interference or de-authentication of the underlying ZigBee-based communications protocol, such as commodity radio jamming equipment and software-based de-authentication attacks on the ZigBee protocol itself," a security brief from Rapid7 explains.
"There does not appear to be a limit to the duration of the failure in order to trigger a warning or other alert. In addition, when Rapid7 demonstrated the issue, they determined that the amount of time it takes for the sensor to re-establish communications with the base station and correctly report is in an open state can range from several minutes to up to three hours."
There are no practical mitigations to the issue, Rapid7 says. A fix would require a software or firmware update to the base station to determine tolerance levels for radio failure conditions.
Comcast was notified about the vulnerability, but the company didn't respond to Rapid7 according to disclosure notes. CERT was made aware of the issue in November; they're expected to publish a technical note about the issue later today.
"I hope that during the CES hoopla this week, vendors take notice of these kinds of failure conditions and apply some basic security design to address them. IoT devices tend to be designed with the happy path in mind, and often don’t consider an active adversary," Rapid7's Tod Beardsley said in a statement to CSO.
"In any home automation solution, including security products like the Xfinity line, I would expect at least some kind of logging to be happening in the event of a failure. You don’t want these radio devices alerting every time they get a hiccup on transmission, but if there’s a prolonged outage, I would expect this condition to be anticipated and handled by the vendors of these devices."