New-generation alarm systems that send real-time text alerts and other digital notifications if an intruder tries to breach a property offer homeowners a great sense of security.
Except when thieves can easily undermine the system to trick homeowners into thinking they’re protected when they’re not.
Philip Bosco, a security researcher at Rapid7, found vulnerabilities in Comcast’s Xfinity Home Security system that would cause it to falsely report that a property’s windows and doors are closed and secured even if they’ve been opened; it could also fail to sense an intruder’s motion. The system uses a ZigBee-based protocol to communicate and operate over the 2.4 GHz radio frequency band. All a thief has to do is use radio jamming equipment to block the signals that pass from a door, window, or motion sensor to the home’s baseband hub, according to Tod Beardsley, security research manager for Rapid7.
The system fails to recognize when communication is halted and also “fails positive” instead of alerting the homeowner to a negative condition—that is, it will continue reporting that all sensors are intact and that windows and doors are secured even if they’re not, instead of warning homeowners to check the window or door. Once the jamming ceases, it can take the sensors anywhere from a few minutes to three hours to re-establish communication with the hub. And once they do, the base station hub, which has a digital readout, provides no indication that conditions changed during that period.
“There’s no indicator to the user that something bad happened or something unusual—that it was being jammed for 20 minutes or whatever,” says Beardsley. “The sensor says ‘everything is cool, everything is cool,’ and then it stops talking, and the base station says ‘I guess everything is [still] cool’.” And once the sensor for a door or window comes back online, “There’s no clue to let the base station know, ‘While you weren’t acknowledging any of my signals, I was open.'”
It makes sense for the system to ignore minor communication breaks, because “you don’t want these to alert and go off every time you turn on the microwave,” Beardsley notes. “But this kind of device should fail ‘closed’ rather than ‘open’ and at least have some kind of amber light on them [to signal that] something is wrong.” The fact that it can take hours for the sensors to re-establish communication after a break is also a failure, Beardsley says. “I would expect several seconds to minutes offline-ness built in, but many minutes to hours seems like a bunch of software failures are colliding here,” he says.
Even more problematic, Comcast gives its home security system customers a sign to put on their lawn indicating that an Xfinity system is securing their property—making them an easy target for thieves who know about the vulnerabilities. “The sign that is designed to deter attackers can now become a sign that invites attackers,” Beardsley says.
Homeowners can’t take any practical measures to mitigate their risk of an attack. But the vendor could easily fix the problem with a firmware patch that would instruct the system to send alerts when something is not okay with it. It’s unclear, however, if Comcast plans to issue a patch. Rapid7 sent email to Comcast on November 2 to report the problem, but despite emailing several Xfinity addresses set up to receive security reports, the researchers received no reply.
The researchers also notified CERT of the issue in late November. CERT, a cybersecurity research division of Carnegie-Mellon University’s Software Engineering Institute, works with DHS and the private sector on security issues. Art Manion, senior vulnerability analyst with CERT, told that his group contacted the vendor November 24 and again December 10 but also got no response.
Comcast did not respond to a request for comment. But after our story published, spokesperson Charlie Douglas sent a statement implying that all home security systems have the same problem and therefore Comcast shouldn’t be singled out. “Our home security system uses the same advanced, industry-standard technology as the nation’s top home security providers. The issue being raised is technology used by all home security systems that use wireless connectivity for door, window and other sensors to communicate.” Experts were unable to verify if all other systems do indeed have the same problem.
Asked if Comcast intends to issue a patch, Douglas told, “This is an industry issue, and we will work with the industry and other partners to address it. If there are ways that can be designed to address this then it is in in everyone’s interest to work collaboratively to do that. But we have to look at the research carefully, talk with others and learn about whether or not that simple patch truly fundamentally addresses the baseline issue or if there are other things that could be done in addition to that.”
Comcast Xfinity offers customers a number of home security packages, some of which include surveillance cameras that can provide an additional method of checking for the presence of intruders. The basic Home-Secure 300 package, which costs about $40 a month and locks homeowners into a two-year agreement, comes with three door or window sensors. The Home-Secure 350 system costs about $50 a month and includes a motion sensor, two lighting controllers, and two indoor/outdoor cameras. But Beardsley notes that if the cameras are broadcasting over the same 2.4 GHz radio frequency band, a thief could block those signals as well.
Thieves can purchase radio jamming equipment on eBay or make their own with about $130 in parts and do-it-yourself instructions published on the internet. The Xfinity system’s security issue is just another in a long line of common security issues in Internet of Things devices. “We see these kinds of design decisions, these failure conditions, not really getting tested in Internet of Things devices [before they’re sold]” Beardsley says. “We see things come up thematically over and over again. CES is coming up [this week], and I expect to see tons and tons of devices—and probably very few of them have had security testing.” It should be mentioned that Comcast had to reset passwords of 200,000 accounts after information about its 590,000 accounts were put on sale online.
110 Reykjavik, Iceland