It will soon be commonplace for garage door openers, thermostats and other mundane home amenities to be connected to the Internet. That makes cybersecurity researchers nervous. Photo: Getty Images/Cyrus McCrimmon/Contributor
That fancy new home alarm system might not be keeping you so safe after all. Vulnerabilities in Comcast’s Xfinity Home Security system could make it possible for burglars to break into someone’s home without triggering the alert that’s meant to notify someone when their home is at risk.
Researchers at the cybersecurity company Rapid7 exploited a security hole in the Xfinity Home Security System, which includes door, window and motions sensors, that enables an outsider to make it seem as if a window or door is closed when it’s in fact open. A thief would only need to spend $100-or-so on radio jamming equipment to block the signal that normally emits from an open door. Then when the jammed signal is released it takes anywhere from just a few minutes to three hours to restore its connection.
“There’s no indicator to the user that something bad happened or something unusual – that it was being jammed for 20 minutes or whatever, ” Tod Beardsley, security research manager for Rapid7, told Wired, which first reported the news Tuesday. “The sensor says ‘everything is cool, everything is cool, ’ and then it stops talking, and the base station says ‘I guess everything is [still] cool.’”
Rapid7 alerted Comcast to the issue on November 7, Wired reported, but received no response. Rapid7 also notified the U.S. Computer Emergency Readiness Team, the Department of Homeland Security sector responsible for cybersecurity information sharing. CERT is expected to issue a notification about the vulnerability Tuesday, according to CSO Online.
Rapid7’s discovery is a real-life example of the fears that have haunted cybersecurity researchers about Internet of Things for years. As companies rush to release new products that are always connected to the Internet, the logic goes, many will fail to build in security from the start.
“If you don’t have confidence in the company you’re doing business with, you probably won’t do business with them, " Tim Fitzgerald, chief security officer at Symantec, said at a news conference in October. "That’s going to help raise the bar when it comes to customers’ expectations about what companies need to do.”